Solved Error during startup: Stop: c000021a (Fatal System Error)

jharry · 2015/02/27

Here is the contents of fixlog.txt:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by SYSTEM at 2015-02-27 20:58:51 Run:2
Running from H:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
LastRegBack: 2014-12-19 20:16
*****************

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog 20:59:03 ====

Wonderful! My computer is up and running again. Thanks a lot. What a wizard you are!

broni · 2015/02/27

Try to start your computer in normal or safe mode.

jharry · 2015/02/27

I started my computer in normal mode. The desktop looked normal, except a message appeared in the lower right corner:
Windows 7 Build 7601 This copy of Windows is not genuine.
Another message window appeared:
An unauthorized change was made to Windows. Windows has discovered a change that will result in limited Windows functionality. Use the link below to find out how to fix Windows.

Added reply:
After several re-starts, an "Activation" window appeared asking me to enter the Windows 7 product key. I entered the product key. The activation was successful. Now my computer starts up without the message about Windows being not genuine.

broni · 2015/02/27

Good news after all.

Go ahead and follow that link which should let you re-validate your Windows installation.
It'll be my last reply for tonight so let me know what happens.
Unfortunately some serious infections like rootkit in your case will create such mess but hopefully we can resolve that as well.
In some cases it may be necessary to actually call Microsoft to validate your Windows installation so keep me posted what happened.

jharry · 2015/02/28

Dear Broni:

After several re-starts, an "Activation" window appeared asking me to enter the Windows 7 product key. I entered the product key. The activation was successful. Now my computer starts up without the message about Windows being not genuine.

Thanks again.

How do I close this thread and consider it resolved.

Evan Omo · 2015/02/28

How do I close this thread and consider it resolved.
Click to expand...

broni will take care of that since he is the moderator of the Malware and Virus Removal Forum.

broni · 2015/02/28

Very good news but we're not done.
Your computer was very seriously infected so we have to run some more scans to make sure nothing else is hiding there.

Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to the following:

Launch Malwarebytes Anti-Malware

A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

Click Finish.

On the Dashboard, click the 'Update Now >>' link

After the update completes, click the 'Scan Now >>' button.

Or, on the Dashboard, click the Scan Now >> button.

If an update is available, click the Update Now button.

A Threat Scan will begin.

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

In most cases, a restart will be required.

Wait for the prompt to restart the computer to appear, then click on Yes.

If you already have MBAM 2.0 installed:

On the Dashboard, click the 'Update Now >>' link

After the update completes, click the 'Scan Now >>' button.

Or, on the Dashboard, click the Scan Now >> button.

If an update is available, click the Update Now button.

A Threat Scan will begin.

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

In most cases, a restart will be required.

Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs:
(Export log to save as txt)

After the restart once you are back at your desktop, open MBAM once more.

Click on the History tab > Application Logs.

Double click on the Scan Log which shows the Date and time of the scan just performed.

Click 'Export'.

Click 'Text file (*.txt)'

In the Save File dialog box which appears, click on Desktop.

In the File name: box type a name for your scan log.

A message box named 'File Saved' should appear stating "Your file has been successfully exported ".

Click Ok

Attach that saved log to your next reply.

(Copy to clipboard for pasting into forum replies or tickets)

After the restart once you are back at your desktop, open MBAM once more.

Click on the History tab > Application Logs.

Double click on the Scan Log which shows the Date and time of the scan just performed.

Click 'Copy to Clipboard'

Paste the contents of the clipboard into your reply.

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

Close all the running programs

Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator

Otherwise just double-click on RogueKiller.exe

Pre-scan will start. Let it finish.

Click on SCAN button.

Wait until the Status box shows Scan Finished

Click on Delete.

Wait until the Status box shows Deleting Finished.

Click on Report and copy/paste the content of the Notepad into your next reply.

RKreport.txt could also be found on your desktop.

If more than one log is produced post all logs.

If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download Malwarebytes Anti-Rootkit (MBAR) to your desktop.

Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.

Double click on downloaded file. OK self extracting prompt.

MBAR will start. Click "Next" to continue.

Click in the following screen "Update" to obtain the latest malware definitions.

Once the update is complete select "Next" and click "Scan ".

When the scan is finished and no malware has been found select "Exit ".

If malware was detected, make sure to check all the items and click "Cleanup ". Reboot your computer.

Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:

"mbar-log-{date} (xx-xx-xx).txt "

"system-log.txt "

NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

broni · 2015/03/05

Still with me?

broni · 2015/03/10

This topic is marked as abandoned and closed due to inactivity.

This member will NOT be eligible to receive any more help in malware removal forum.

jharry · 2015/03/12

Dear Broni:

I was out of town. Although I could see your messages, I did not have access to my laptop. Now I am back and have followed your instructions.
The Malwwarebytes scan detected only 90 non-malware items, and the actions were all "ignore ", so I've skipped posting the report.
The roguekiller report is posted below.
RogueKiller V10.5.4.0 (x64) [Mar 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Administrator]
Started from : C:\Downloads\roguekiller\RogueKillerX64.exe
Mode : Delete -- Date : 03/12/2015 09:47:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 29 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F46BF631-87C8-4094-BBC6-3FE59F6B346B} | DhcpNameServer : 116.228.111.118 180.168.255.18 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUP][FIREFX:Addon] x5lifesp.default-1414986831002 : Hotspot Shield Extension [afproxy@anchorfree.com] -> Not selected
[PUM.Proxy][FIREFX:Config] x5lifesp.default-1414986831002 : user_pref( "network.proxy.http ", "127.0.0.1 "); -> Not selected
[PUM.Proxy][FIREFX:Config] x5lifesp.default-1414986831002 : user_pref( "network.proxy.http_port ", 8580); -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 55a04d89e8315fe945a6188ddca4b4c1
[BSP] 1e247d53995ca31cc8f20679b74fbd70 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 24578048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 24782848 | Size: 464838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

The Malwarebytes Anti-rootkit scan end with "Scan finished. No malware found ".

Everything looks OK. Thanks again.

broni · 2015/03/12

I need you to follow ALL steps from my reply #27 and post ALL logs clean or not.

jharry · 2015/03/12

Following is the log from the first malwarebytes scan:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/12/2015
Scan Time: 8:48:59 AM
Logfile: Malwarebytestestlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.12.06
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 455326
Time Elapsed: 29 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 27
PUP.Optional.Bandoo.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{9D717F81-9148-4F12-8568-69135F087DB0}, No Action By User, [485e162e8703d066b088aaae0ff4e31d],
PUP.Optional.Bandoo.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{9D717F81-9148-4F12-8568-69135F087DB0}, No Action By User, [485e162e8703d066b088aaae0ff4e31d],
PUP.Optional.Bandoo.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{9D717F81-9148-4F12-8568-69135F087DB0}, No Action By User, [485e162e8703d066b088aaae0ff4e31d],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{99079a25-328f-4bd4-be04-00955acaa0a7}, No Action By User, [426478ccd7b32016e98f51d4be45a45c],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{99079A25-328F-4BD4-BE04-00955ACAA0A7}, No Action By User, [426478ccd7b32016e98f51d4be45a45c],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\SearchQUIEHelper.DNSGuard, No Action By User, [aff7aa9ac5c5dd5935bf93c53ac9629e],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\SearchQUIEHelper.DNSGuard.1, No Action By User, [5452e262a8e2d6606c88f06880833ac6],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\SearchQUIEHelper.DNSGuard, No Action By User, [5452e262a8e2d6606c88f06880833ac6],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\SearchQUIEHelper.DNSGuard.1, No Action By User, [5452e262a8e2d6606c88f06880833ac6],
PUP.Optional.Koyote.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Free Video Converter, No Action By User, [e5c1c87cf9918baba4a0fc6f28d928d8],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\DataMngr, No Action By User, [6f37bb895733e65027aacf0daf547c84],
PUP.Optional.Astromenda.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, No Action By User, [cbdb3a0a5832b185905085aec540a55b],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\WOW6432NODE\DataMngr, No Action By User, [683e70d488028da99b368d4fc3409967],
PUP.Optional.Astromenda.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, No Action By User, [1591f54fb8d22b0b4a96330063a2748c],
PUP.Optional.InstallCore.A, HKLM\SOFTWARE\WOW6432NODE\INSTALLCORE\WSE_Astromenda, No Action By User, [b8ee0d37a0eafa3c721bebd707fce818],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, No Action By User, [6145350f0a809d9974d1c050ba4b3dc3],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\astromenda, No Action By User, [50563e06e9a1ba7c609e4b6851b2eb15],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr, No Action By User, [8a1c97ad2d5de155369e0e00897cde22],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr_Toolbar, No Action By User, [782e8cb84e3c67cf6271040aa362f50b],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WSE_Astromenda, No Action By User, [bde989bb2961f2446bfdb614966d18e8],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, No Action By User, [2482eb595d2d251105dc8da629dc36ca],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, No Action By User, [13937ec66228f83e7c9ea1587b88b947],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, No Action By User, [b7ef77cda5e59e9827d0cf3fc1440df3],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr, No Action By User, [a006360e02888fa7c60e3dd14eb78080],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr_Toolbar, No Action By User, [85212f15c3c7ae884b88927c33d2ba46],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Searchqu 0 MediaBar, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows Searchqu Toolbar, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],

Registry Values: 3
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR|{99079A25-328F-4BD4-BE04-00955ACAA0A7}, Searchqu Toolbar, No Action By User, [426478ccd7b32016e98f51d4be45a45c]
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{99079a25-328f-4bd4-be04-00955acaa0a7}, No Action By User, [b3f35ee676141b1b5a1e39ec21e26e92],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, zr2X2X1G1S1F2V1S2Q0V, No Action By User, [b7ef77cda5e59e9827d0cf3fc1440df3]

Registry Data: 0
(No malicious items detected)

Folders: 14
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy, No Action By User, [61458db76129de5883baaebe788b43bd],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy\69595B2DF19C4C7B9947F3A0C5AD1D1C, No Action By User, [61458db76129de5883baaebe788b43bd],
PUP.Optional.Datamngr.A, C:\Users\owner\AppData\LocalLow\DataMngr, No Action By User, [6c3ad66eddade3539ecc6d05cc37d42c],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchquband, No Action By User, [b7eff2528efc79bd2280522b06fd0af6],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda, No Action By User, [792deb590a80989ecd937d0e81821ae6],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda\BRS, No Action By User, [792deb590a80989ecd937d0e81821ae6],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\Roaming\searchquband, No Action By User, [aff7271d7b0f78beea3ed1c9ee150cf4],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda, No Action By User, [a600ee565535d561c44e4f507b8855ab],

Files: 46
PUP.Optional.Koyote.A, C:\Program Files (x86)\Free Video Converter\Uninstall.exe, No Action By User, [e5c1c87cf9918baba4a0fc6f28d928d8],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\guid.dat, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\dtx.ini, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\geodata.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\log.txt, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\preferences.dat, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\stats.dat, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\uninstallIE.dat, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\version.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weatherbutton_prefs.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons\merchants.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons\merchants2.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\16216f77f0ee7e1374022ac601a974e7, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\804e5eb85b1730d65039ad8c41b4fe50, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\forecasts_cache.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\observations_cache.xml, No Action By User, [c3e360e48cfe0531d34e37d554b1916f],
PUP.Optional.Searchqu.A, C:\Users\owner\AppData\Roaming\Mozilla\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}, No Action By User, [287ed56f5139f54104608b84ad585fa1],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DataMngrHlpFF3_51.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_DLL_70.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_DLL_95.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_EXE_1.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_EXE_62.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_IEBHO_48.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_IEBHO_50.dll, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\sysid.ini, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\uninstall.exe, No Action By User, [a7ff0a3a99f1c86e3dcd2e3ed82b7b85],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy\69595B2DF19C4C7B9947F3A0C5AD1D1C\HSS-2.83-install-plain-452-silent.exe, No Action By User, [61458db76129de5883baaebe788b43bd],
PUP.Optional.Datamngr.A, C:\Users\owner\AppData\LocalLow\DataMngr\{7CA1F051-A4FB-4143-B263-02B41E571EED}, No Action By User, [6c3ad66eddade3539ecc6d05cc37d42c],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\dtx.ini, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\geodata.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\geoip.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\guid.dat, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\log.txt, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\preferences.dat, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\stats.dat, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\uninstallIE.dat, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\version.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weatherbutton_prefs.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\5c641c07337be53cbf619c9ffaf25666, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\d088e643e69e4f85766c3a0d65bd1982, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\f87d04cdc5d2fe15db3ed18361ddac98, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\forecasts_cache.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\observations_cache.xml, No Action By User, [7f27ac981b6fce68d7ccbac39b68bb45],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda\BRS\stats, No Action By User, [792deb590a80989ecd937d0e81821ae6],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda\astcnfg.dat, No Action By User, [a600ee565535d561c44e4f507b8855ab],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda\data, No Action By User, [a600ee565535d561c44e4f507b8855ab],

Physical Sectors: 0
(No malicious items detected)

(end)

Following is the log from the roguekiller scan:

RogueKiller V10.5.4.0 (x64) [Mar 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Administrator]
Started from : C:\Downloads\roguekiller\RogueKillerX64.exe
Mode : Delete -- Date : 03/12/2015 09:47:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 29 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\70e6ca8c ( "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hshld (C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssTrayService (C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssWd (C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F46BF631-87C8-4094-BBC6-3FE59F6B346B} | DhcpNameServer : 116.228.111.118 180.168.255.18 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{AF72873D-8295-4B2F-8CCD-C4BD2BEBD08F} | DhcpNameServer : 172.31.248.17 66.28.0.45 [(Private Address) (XX)][UNITED STATES (US)] -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUP][FIREFX:Addon] x5lifesp.default-1414986831002 : Hotspot Shield Extension [afproxy@anchorfree.com] -> Not selected
[PUM.Proxy][FIREFX:Config] x5lifesp.default-1414986831002 : user_pref( "network.proxy.http ", "127.0.0.1 "); -> Not selected
[PUM.Proxy][FIREFX:Config] x5lifesp.default-1414986831002 : user_pref( "network.proxy.http_port ", 8580); -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 55a04d89e8315fe945a6188ddca4b4c1
[BSP] 1e247d53995ca31cc8f20679b74fbd70 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 24578048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 24782848 | Size: 464838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Following is the log from the malwarebytes anti-rootkit scan:
Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
main: v2015.03.12.06
rootkit: v2015.02.25.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
owner :: GATEWAY-NV54 [administrator]

3/12/2015 3:10:50 PM
mbar-log-2015-03-12 (15-10-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 465289
Time elapsed: 29 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Following is the system-log from the malwarebytes anti-rootkit scan:
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16618

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 4220444672, free: 1826590720

Downloaded database version: v2015.03.12.06
Downloaded database version: v2015.02.25.01
Downloaded database version: v2015.03.09.01
=======================================
Initializing...
------------ Kernel report ------------
03/12/2015 15:10:29
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\aswSnx.sys
\SystemRoot\system32\drivers\aswSP.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\hssdrv6.sys
\SystemRoot\system32\DRIVERS\rtlprot.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\k57nd60a.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\SysWOW64\Drivers\DKbFltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\taphss6.sys
\SystemRoot\system32\DRIVERS\ndisrd.sys
\SystemRoot\system32\DRIVERS\smccarda.sys
\SystemRoot\system32\DRIVERS\SMCLIB.SYS
\SystemRoot\System32\DRIVERS\scfilter.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\circlass.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\CAXHWAZL.sys
\SystemRoot\system32\DRIVERS\CAX_DPV.sys
\SystemRoot\system32\DRIVERS\CAX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\drivers\IntcHdmi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\aswMonFlt.sys
\SystemRoot\system32\drivers\aswStm.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\aswHwid.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\peauth.sys
\??\C:\Windows\system32\drivers\PECKP_x64.SYS
\SystemRoot\system32\drivers\regi.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\XAudio64.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\urlmon.dll
\Windows\System32\wininet.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\lpk.dll
\Windows\System32\imm32.dll
\Windows\System32\nsi.dll
\Windows\System32\gdi32.dll
\Windows\System32\kernel32.dll
\Windows\System32\iertutil.dll
\Windows\System32\setupapi.dll
\Windows\System32\shell32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\sechost.dll
\Windows\System32\normaliz.dll
\Windows\System32\ole32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\comdlg32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\difxapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\advapi32.dll
\Windows\System32\usp10.dll
\Windows\System32\psapi.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!

Scan started
Database versions:
main: v2015.03.12.06
rootkit: v2015.02.25.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004abc710, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004abc160, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004abc710, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80046ef050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 52D952D9

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 24576000

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 24578048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 24782848 Numsec = 951988272

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-24578048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

Thanks again.

broni · 2015/03/13

Your MBAM log says "No Action By User ".
Re-run MBAM fix all issues and post new log.

Next...

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.

If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

jharry · 2015/03/14

Following is the MBAM new log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/14/2015
Scan Time: 8:34:31 AM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.14.03
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 455953
Time Elapsed: 29 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 28
PUP.Optional.SearchQu, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{99079A25-328F-4BD4-BE04-00955ACAA0A7}, Quarantined, [89e2093c771363d3e9be68be7e85c739],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{99079A25-328F-4BD4-BE04-00955ACAA0A7}, Quarantined, [89e2093c771363d3e9be68be7e85c739],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{99079A25-328F-4BD4-BE04-00955ACAA0A7}, Quarantined, [89e2093c771363d3e9be68be7e85c739],
PUP.Optional.Bandoo.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{9D717F81-9148-4F12-8568-69135F087DB0}, Quarantined, [6b0070d5404a0234fc6ba4b5d0337d83],
PUP.Optional.Bandoo.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{9D717F81-9148-4F12-8568-69135F087DB0}, Quarantined, [6b0070d5404a0234fc6ba4b5d0337d83],
PUP.Optional.Bandoo.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{9D717F81-9148-4F12-8568-69135F087DB0}, Quarantined, [6b0070d5404a0234fc6ba4b5d0337d83],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\SearchQUIEHelper.DNSGuard, Quarantined, [f9729ca9c1c92115db484d0dcc37d22e],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\SearchQUIEHelper.DNSGuard.1, Quarantined, [e289ee575b2fcd6941e2ef6b14efc23e],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\SearchQUIEHelper.DNSGuard, Quarantined, [e289ee575b2fcd6941e2ef6b14efc23e],
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\SearchQUIEHelper.DNSGuard.1, Quarantined, [e289ee575b2fcd6941e2ef6b14efc23e],
PUP.Optional.Koyote.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Free Video Converter, Quarantined, [7bf0bb8a6d1d0d293435f2796f929c64],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\DataMngr, Quarantined, [99d23213b7d3b680134de4fac043b54b],
PUP.Optional.Astromenda.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, Quarantined, [8edd3213fd8d90a61e4e92a3927358a8],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\WOW6432NODE\DataMngr, Quarantined, [2d3e9da846443402045cfde108fb26da],
PUP.Optional.Astromenda.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, Quarantined, [df8ce0657d0dbe78b1bb2a0b669f4db3],
PUP.Optional.InstallCore.A, HKLM\SOFTWARE\WOW6432NODE\INSTALLCORE\WSE_Astromenda, Quarantined, [452647fe0a80c670899444803ac9fb05],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, Quarantined, [a9c23d086921d0664093a17016efaa56],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\astromenda, Quarantined, [e982bd88414955e1434b476e788bb34d],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr, Quarantined, [620994b14842bc7adf83ba56ea1b4ab6],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr_Toolbar, Quarantined, [501b271e84060c2a0c556fa1a75e6997],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WSE_Astromenda, Quarantined, [3b30ed58800a0234f2067b509f646e92],
PUP.Optional.Astromenda.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pfkfdlcdbajamklbneflfbcmfgddmpae, Quarantined, [7af12025d4b6251197d63ff6fe07867a],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [b2b9380d761469cd248547b3f01329d7],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [d596db6aaedc5fd7a6df8d83f312ac54],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr, Quarantined, [9ecd76cfc0cab185a3bfd63ad33248b8],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-669636167-3881197016-1759864487-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr_Toolbar, Quarantined, [1b5053f2325857dfc49dc34d7194b848],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Searchqu 0 MediaBar, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows Searchqu Toolbar, Quarantined, [88e3ad98b7d3132395a637361ce7817f],

Registry Values: 3
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR|{99079A25-328F-4BD4-BE04-00955ACAA0A7}, Searchqu Toolbar, Quarantined, [89e2093c771363d3e9be68be7e85c739]
PUP.Optional.SearchQu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{99079a25-328f-4bd4-be04-00955acaa0a7}, Quarantined, [5a11d76ec1c9d5613e6952d4cb3834cc],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-669636167-3881197016-1759864487-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, zr2X2X1G1S1F2V1S2Q0V, Quarantined, [d596db6aaedc5fd7a6df8d83f312ac54]

Registry Data: 0
(No malicious items detected)

Folders: 14
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy, Quarantined, [f4771f26f09ac57179f5bfaeb05326da],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy\69595B2DF19C4C7B9947F3A0C5AD1D1C, Quarantined, [f4771f26f09ac57179f5bfaeb05326da],
PUP.Optional.Datamngr.A, C:\Users\owner\AppData\LocalLow\DataMngr, Quarantined, [05661d289bef043202997ef535ce738d],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchquband, Quarantined, [e08b4302f69447ef7162e896cb38f40c],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda, Quarantined, [6803b194c0ca1125aee3187444bfde22],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda\BRS, Quarantined, [6803b194c0ca1125aee3187444bfde22],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\Roaming\searchquband, Quarantined, [c0abf253dcae221498c1edaea261d12f],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda, Quarantined, [5d0e172e02881f178fb4cfd145be847c],

Files: 46
PUP.Optional.Koyote.A, C:\Program Files (x86)\Free Video Converter\Uninstall.exe, Quarantined, [7bf0bb8a6d1d0d293435f2796f929c64],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\guid.dat, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\dtx.ini, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\geodata.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\log.txt, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\preferences.dat, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\stats.dat, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\uninstallIE.dat, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\version.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weatherbutton_prefs.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons\merchants.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\coupons\merchants2.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\16216f77f0ee7e1374022ac601a974e7, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\804e5eb85b1730d65039ad8c41b4fe50, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\forecasts_cache.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.SearchQu, C:\Users\owner\AppData\Roaming\searchqutoolbar\weather\observations_cache.xml, Quarantined, [412a94b199f1a393c2eeb756df265aa6],
PUP.Optional.Searchqu.A, C:\Users\owner\AppData\Roaming\Mozilla\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}, Quarantined, [ec7f1f261971e74fb43e31df887d33cd],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DataMngrHlpFF3_51.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_DLL_70.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_DLL_95.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_EXE_1.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_DM_EXE_62.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_IEBHO_48.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\del_IEBHO_50.dll, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\sysid.ini, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.SearchQu, C:\Program Files (x86)\Windows Searchqu Toolbar\uninstall.exe, Quarantined, [88e3ad98b7d3132395a637361ce7817f],
PUP.Optional.OpenCandy, C:\Users\owner\AppData\Roaming\OpenCandy\69595B2DF19C4C7B9947F3A0C5AD1D1C\HSS-2.83-install-plain-452-silent.exe, Quarantined, [f4771f26f09ac57179f5bfaeb05326da],
PUP.Optional.Datamngr.A, C:\Users\owner\AppData\LocalLow\DataMngr\{7CA1F051-A4FB-4143-B263-02B41E571EED}, Quarantined, [05661d289bef043202997ef535ce738d],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\dtx.ini, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\geodata.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\geoip.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\guid.dat, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\log.txt, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\preferences.dat, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\stats.dat, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\uninstallIE.dat, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\version.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weatherbutton_prefs.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\5c641c07337be53cbf619c9ffaf25666, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\d088e643e69e4f85766c3a0d65bd1982, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\f87d04cdc5d2fe15db3ed18361ddac98, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\forecasts_cache.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.SearchQu.A, C:\Users\owner\AppData\LocalLow\searchqutoolbar\weather\observations_cache.xml, Quarantined, [e88365e038521f17e8ec82fcc63d867a],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Roaming\Astromenda\BRS\stats, Quarantined, [6803b194c0ca1125aee3187444bfde22],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda\astcnfg.dat, Quarantined, [5d0e172e02881f178fb4cfd145be847c],
PUP.Optional.Astromenda.A, C:\Users\owner\AppData\Local\Astromenda\data, Quarantined, [5d0e172e02881f178fb4cfd145be847c],

Physical Sectors: 0
(No malicious items detected)

(end)

Following is the Combofix log: I don't know why some of the text is in Chinese, maybe because I used my laptop while in China. I've placed my translation in English in parentheses)
ComboFix 15-03-14.03 - owner 4/2015 Sat 9:23.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.4025.2254 [GMT -7:00]
执行位置: c:\users\owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案(files deleted) )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\INSTALL.LOG
c:\programdata\A315E40CF1.sys
c:\users\owner\AppData\Local\2908482dsisetup29097302.exe
c:\users\owner\AppData\Local\dsisetup15543002.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\EPSON002.JPG.url
c:\windows\IsUn0804.exe
c:\windows\msdownld.tmp
.
.
((((((((((((((((((((((((( 2015-02-14 至 2015-03-14 的新的档案(new files between 2015-02-14 and 2015-03-14 )))))))))))))))))))))))))))))))
.
.
2015-03-12 22:10 . 2015-03-12 22:42 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-03-12 21:29 . 2015-03-12 21:34 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-03-12 21:29 . 2015-03-12 21:31 -------- d-----w- c:\programdata\RogueKiller
2015-03-11 03:33 . 2015-03-11 03:33 -------- d-----w- c:\users\owner\AppData\Roaming\dlg
2015-03-11 03:17 . 2015-03-12 20:46 -------- d-----w- c:\users\owner\AppData\Roaming\Smart Driver Updater
2015-03-11 03:17 . 2015-03-11 03:17 -------- d-----w- c:\program files (x86)\Smart Driver Updater
2015-03-01 01:07 . 2015-03-01 01:07 -------- d-----w- c:\program files (x86)\Common Files\Skype
2015-02-27 23:32 . 2015-02-27 23:32 -------- d-----w- c:\users\owner\AppData\Local\FeedbackRpt
2015-02-27 23:30 . 2015-03-12 21:55 -------- d-----w- C:\TaxACT
2015-02-27 05:57 . 2015-02-28 04:59 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案(files revised in the past 3 months) ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-14 15:34 . 2015-01-30 00:24 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-12 22:09 . 2015-01-30 00:24 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-02-28 15:15 . 2012-04-07 14:57 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-28 15:15 . 2011-05-15 00:11 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-04 01:54 . 2010-01-07 05:22 8456 --sha-w- c:\programdata\KGyGaAvL.sys
2002-08-09 07:40 . 2010-01-30 23:33 153088 ----a-w- c:\program files (x86)\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示(note:empty and legal defaults will not be displayed)
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype "= "c:\program files (x86)\Skype\Phone\Skype.exe" [2015-01-23 31087200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray "= "c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-09-24 244480]
"LManager "= "c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"Microsoft Pinyin IME Migration "= "c:\progra~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-31 32112]
"AvastUI.exe "= "c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-08-03 4085896]
"Adobe ARM "= "c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
"BOCUK2IBankMon.exe "= "c:\program files (x86)\BOC\USBKEY II\IBank\BOCUK2IBankMon.exe" [2014-12-12 59792]
"ePass2001_bosh "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTePass2001\certd_bosh.exe" [2013-12-16 125272]
"InterPass3000_SHBANK "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTInterPass3000\certd_I3000_SHBANK.exe" [2014-02-11 256344]
"AK300_bosh "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_argusec_usbkey\ak300_bosh_certreg.exe" [2013-11-14 357744]
"HengBao UranuSafe CSP V3.0 For SHBANK "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_hb_usbkey\bosh_hb_usbkey_plugins.exe" [2014-02-25 216952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 5 (0x5)
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks "= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs "=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3 "=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
IME File REG_SZ IMSC12.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\R6BaseSmc]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ry6_USB]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardSvr]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]
@=" "
.
R2 70e6ca8c;Optimizer Pro Crash Monitor;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DeviceHealth;Microsoft Device Health Machine Service;c:\program files (x86)\Microsoft Device Health\DhMachineSvc.exe;c:\program files (x86)\Microsoft Device Health\DhMachineSvc.exe [x]
R2 KMService;KMService;c:\windows\system32\srvany.exe;c:\windows\SYSNATIVE\srvany.exe [x]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R2 pcas;Alipay payment client security service;c:\program files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe;c:\program files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe [x]
R2 RealtekUSB;RealtekUSB;c:\program files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe;c:\program files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [x]
R2 secbizsrv;Alipay security business service;c:\program files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe;c:\program files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 CXIR;Conexant Polaris IR Receiver;c:\windows\system32\drivers\cxcir.sys;c:\windows\SYSNATIVE\drivers\cxcir.sys [x]
R3 CXPOLARIS;Conexant Polaris Hybrid ATSC/QAM TV Stick ;c:\windows\system32\drivers\GTATSC.sys;c:\windows\SYSNATIVE\drivers\GTATSC.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbnet.sys [x]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver; [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbdev.sys [x]
R3 Ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys;c:\windows\SYSNATIVE\DRIVERS\ndisrd.sys [x]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
R3 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys;c:\windows\SYSNATIVE\drivers\ProtectorA.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8187.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys;c:\windows\SYSNATIVE\DRIVERS\hssdrv6.sys [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys;c:\windows\SYSNATIVE\DRIVERS\rtlprot.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
S2 CAJ Service Host;CAJ Service Host;c:\program files (x86)\TTKN\CAJVD\CAJSHost.exe;c:\program files (x86)\TTKN\CAJVD\CAJSHost.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe;c:\program files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\cmw_srv.exe;c:\program files (x86)\Hotspot Shield\bin\cmw_srv.exe [x]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [x]
S2 ngSlotD;ngSlotDaemon;c:\program files (x86)\ngsrv\ngslotd.exe;c:\program files (x86)\ngsrv\ngslotd.exe [x]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 PECKbdProtector;PECKbdProtector;c:\windows\system32\drivers\PECKP_x64.SYS;c:\windows\SYSNATIVE\drivers\PECKP_x64.SYS [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 RealPlayer Cloud Service;RealPlayer Cloud Service;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [x]
S2 RealPlayerUpdateSvc;RealPlayer Update Service;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 NdisrdMP;NdisrdMP;c:\windows\system32\DRIVERS\ndisrd.sys;c:\windows\SYSNATIVE\DRIVERS\ndisrd.sys [x]
S3 R6BaseSmc;USB Token 32 Holder Service;c:\windows\system32\DRIVERS\smccarda.sys;c:\windows\SYSNATIVE\DRIVERS\smccarda.sys [x]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ XLServicePlatform
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-03-14 15:30 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.89\Installer\chrmstp.exe
.
‘计划任务’ 文件夹里的内容(contents of the planned tasks folder)
.
2015-03-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 15:15]
.
2015-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-13 00:13]
.
2015-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-13 00:13]
.
2015-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-11 05:54]
.
2015-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-11 05:54]
.
2015-03-11 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2015-01-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@= "{472083B0-C522-11CF-8763-00608CC02F24} "
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-09 02:04 634872 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@= "{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif "= "c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"cAudioFilterAgent "= "c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-10-09 508472]
"Acer ePower Management "= "c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 823840]
"Microsoft Pinyin IME Migration "= "c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-26 59248]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
.
------- 而外的扫描 (other scans)-------
.
uStart Page = about:Tabs
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{00B03C7D-93A4-4814-98A9-66351ADEDF84} - res://CITICAP.dll/ConfigByHotIcon
IE: {{00B03C7D-93A4-4814-98A9-66351ADEDF84} - res://CITICAP.dll/ConfigByHotIcon
LSP: c:\program files (x86)\YouKu\YoukuClient\ikutm.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: bankofchina.com\www
Trusted Zone: bankofshanghai.com
Trusted Zone: bankofshanghai.com\ebanks
Trusted Zone: boc.cn\ebs
Trusted Zone: boc.cn\www
Trusted Zone: cfca.com.cn\www
Trusted Zone: ebank.bosit
Trusted Zone: ecitic.com
Trusted Zone: ecitic.com\b2c.bank
Trusted Zone: ecitic.com\creditcard
Trusted Zone: ecitic.com\e.bank
Trusted Zone: ecitic.com\enterprise.bank
Trusted Zone: taobao.com
TCP: DhcpNameServer = 8.8.4.4 4.2.2.4 4.2.2.3
TCP: Interfaces\{C3627550-C014-466F-975A-562836D70C40}: NameServer = 8.8.8.8
DPF: {78E87ACB-656E-4257-961D-3FADBE77A626} - hxxp://wuxizazhi.cnki.net/activex/cajax1.cab
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\x5lifesp.default-1414986831002\
FF - prefs.js: browser.search.defaulturl - hxxps://search.yahoo.com/yhs/search
FF - prefs.js: browser.search.selectedEngine - Yahoo! (Avast)
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/yhs/search
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8580
FF - prefs.js: network.proxy.type - 0
.
.
------- 文件类型 (File types)-------
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{C8CBC109-B04A-4dda-956E-BFFE0360DADD} - (no file)
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-尚书六号表格文字识别系统 - c:\windows\IsUn0804.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06} "=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{9030D464-4C02-4ABF-8ECC-5164760863C6} "=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289} "=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{AA58ED58-01DD-4D91-8333-CF10577473F7} "=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{C37F9D60-975D-41F2-A745-4DC934D319AA} "=hex:51,66,7a,6c,4c,1d,38,12,0e,9e,6c,
c7,6f,d9,9c,04,d8,53,0e,89,31,8d,5d,be
"{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} "=hex:51,66,7a,6c,4c,1d,38,12,3a,a3,f7,
fd,83,a7,ad,0e,fc,b5,35,e1,ab,2d,25,64
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F} "=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp "=hex:93,b3,c2,e3,d0,b8,cf,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,04,e2,3f,e9,80,70,44,b6,49,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,04,e2,3f,e9,80,70,44,b6,49,d9,\
.
[HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"ClientGUID "=hex:00,39,d8,08,d8,eb,b0,49,ba,1a,1f,0f,1c,48,9b,5a
.
[HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\SystemFileAssociations\.kux\Shell\O(uOw憿[7b飠 *Sb*_\Command]
@= "\ "c:\\Program Files (x86)\\YouKu\\YoukuClient\\YoukuDesktop.exe\" iku://|explorer|%1| "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@= "c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker6 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@= "0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@= "ShockwaveFlash.ShockwaveFlash.16 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "ShockwaveFlash.ShockwaveFlash "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@= "FlashFactory.FlashFactory.1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "FlashFactory.FlashFactory "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker6 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoukuVideo\Shell\O(uOw憿[7b飠 *Sb*_\Command]
@= "\ "c:\\Program Files (x86)\\YouKu\\YoukuClient\\YoukuDesktop.exe\" iku://|explorer|%1| "
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ 其他运行进程(other processes running) ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
完成时间(Time of completion): 2015-03-14 09:53:12 - 电脑已重新启动(The computer has been restarted)
ComboFix-quarantined-files.txt 2015-03-14 16:53
.
Pre-Run: 57,116,225,536 bytes free
Post-Run: 56,562,016,256 bytes free
.
- - End Of File - - 67FFDE1DC70103406C4ECB2FEADAA61E
A36C5E4F47E84449FF07ED3517B43A31

broni · 2015/03/14

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
Driver::
70e6ca8c

ClearJavaCache::
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

jharry · 2015/03/14

Following is the contents of the latest combofix.txt. Again, some of the text was in Chinese. I've added my translation in English in Parentheses.

ComboFix 15-03-14.03 - owner 4/2015 Sat 16:56:08.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.4025.2663 [GMT -7:00]
执行位置(Location of application): c:\users\owner\Desktop\ComboFix.exe
Command switches used :: c:\users\owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案(Deleted file) )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\A315E40CF1.sys
.
.
((((((((((((((((((((((((((((((((((((((( 驱动/服务(Driver/Service) )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_70e6ca8c
.
.
((((((((((((((((((((((((( 2015-02-15 至 2015-03-15 的新的档案(New files from 2015-02-15 to 2015-03-15) )))))))))))))))))))))))))))))))
.
.
2015-03-15 00:17 . 2015-03-15 00:17 -------- d-----w- c:\users\Guest\AppData\Local\temp
2015-03-15 00:17 . 2015-03-15 00:17 -------- d-----w- c:\users\fbwuser\AppData\Local\temp
2015-03-12 22:10 . 2015-03-12 22:42 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-03-12 21:29 . 2015-03-12 21:34 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-03-12 21:29 . 2015-03-12 21:31 -------- d-----w- c:\programdata\RogueKiller
2015-03-11 03:33 . 2015-03-11 03:33 -------- d-----w- c:\users\owner\AppData\Roaming\dlg
2015-03-11 03:17 . 2015-03-12 20:46 -------- d-----w- c:\users\owner\AppData\Roaming\Smart Driver Updater
2015-03-11 03:17 . 2015-03-11 03:17 -------- d-----w- c:\program files (x86)\Smart Driver Updater
2015-03-01 01:07 . 2015-03-01 01:07 -------- d-----w- c:\program files (x86)\Common Files\Skype
2015-02-27 23:32 . 2015-02-27 23:32 -------- d-----w- c:\users\owner\AppData\Local\FeedbackRpt
2015-02-27 23:30 . 2015-03-12 21:55 -------- d-----w- C:\TaxACT
2015-02-27 05:57 . 2015-02-28 04:59 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案(Files modified during the last 3 months) ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-14 23:37 . 2010-01-07 05:22 8456 --sha-w- c:\programdata\KGyGaAvL.sys
2015-03-14 15:34 . 2015-01-30 00:24 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-12 22:09 . 2015-01-30 00:24 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-02-28 15:15 . 2012-04-07 14:57 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-28 15:15 . 2011-05-15 00:11 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2002-08-09 07:40 . 2010-01-30 23:33 153088 ----a-w- c:\program files (x86)\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点(Important entry point) ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示(Note: empty and legal default entries will not be displayed)
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 130736 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype "= "c:\program files (x86)\Skype\Phone\Skype.exe" [2015-01-23 31087200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray "= "c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-09-24 244480]
"LManager "= "c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"Microsoft Pinyin IME Migration "= "c:\progra~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-31 32112]
"AvastUI.exe "= "c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-08-03 4085896]
"Adobe ARM "= "c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
"BOCUK2IBankMon.exe "= "c:\program files (x86)\BOC\USBKEY II\IBank\BOCUK2IBankMon.exe" [2014-12-12 59792]
"ePass2001_bosh "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTePass2001\certd_bosh.exe" [2013-12-16 125272]
"InterPass3000_SHBANK "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTInterPass3000\certd_I3000_SHBANK.exe" [2014-02-11 256344]
"AK300_bosh "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_argusec_usbkey\ak300_bosh_certreg.exe" [2013-11-14 357744]
"HengBao UranuSafe CSP V3.0 For SHBANK "= "c:\program files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_hb_usbkey\bosh_hb_usbkey_plugins.exe" [2014-02-25 216952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 5 (0x5)
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks "= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs "=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3 "=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
IME File REG_SZ IMSC12.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\R6BaseSmc]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ry6_USB]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardSvr]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]
@=" "
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DeviceHealth;Microsoft Device Health Machine Service;c:\program files (x86)\Microsoft Device Health\DhMachineSvc.exe;c:\program files (x86)\Microsoft Device Health\DhMachineSvc.exe [x]
R2 KMService;KMService;c:\windows\system32\srvany.exe;c:\windows\SYSNATIVE\srvany.exe [x]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R2 pcas;Alipay payment client security service;c:\program files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe;c:\program files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe [x]
R2 RealtekUSB;RealtekUSB;c:\program files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe;c:\program files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [x]
R2 secbizsrv;Alipay security business service;c:\program files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe;c:\program files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 CXIR;Conexant Polaris IR Receiver;c:\windows\system32\drivers\cxcir.sys;c:\windows\SYSNATIVE\drivers\cxcir.sys [x]
R3 CXPOLARIS;Conexant Polaris Hybrid ATSC/QAM TV Stick ;c:\windows\system32\drivers\GTATSC.sys;c:\windows\SYSNATIVE\drivers\GTATSC.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbnet.sys [x]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver; [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbdev.sys [x]
R3 Ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys;c:\windows\SYSNATIVE\DRIVERS\ndisrd.sys [x]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
R3 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys;c:\windows\SYSNATIVE\drivers\ProtectorA.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8187.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys;c:\windows\SYSNATIVE\DRIVERS\hssdrv6.sys [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys;c:\windows\SYSNATIVE\DRIVERS\rtlprot.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
S2 CAJ Service Host;CAJ Service Host;c:\program files (x86)\TTKN\CAJVD\CAJSHost.exe;c:\program files (x86)\TTKN\CAJVD\CAJSHost.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe;c:\program files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\cmw_srv.exe;c:\program files (x86)\Hotspot Shield\bin\cmw_srv.exe [x]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [x]
S2 ngSlotD;ngSlotDaemon;c:\program files (x86)\ngsrv\ngslotd.exe;c:\program files (x86)\ngsrv\ngslotd.exe [x]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 PECKbdProtector;PECKbdProtector;c:\windows\system32\drivers\PECKP_x64.SYS;c:\windows\SYSNATIVE\drivers\PECKP_x64.SYS [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 RealPlayer Cloud Service;RealPlayer Cloud Service;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [x]
S2 RealPlayerUpdateSvc;RealPlayer Update Service;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 NdisrdMP;NdisrdMP;c:\windows\system32\DRIVERS\ndisrd.sys;c:\windows\SYSNATIVE\DRIVERS\ndisrd.sys [x]
S3 R6BaseSmc;USB Token 32 Holder Service;c:\windows\system32\DRIVERS\smccarda.sys;c:\windows\SYSNATIVE\DRIVERS\smccarda.sys [x]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ XLServicePlatform
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-03-14 15:30 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.89\Installer\chrmstp.exe
.
‘计划任务’ 文件夹里的内容(Contents of the planned tasks folder)
.
2015-03-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 15:15]
.
2015-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-13 00:13]
.
2015-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-13 00:13]
.
2015-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-11 05:54]
.
2015-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-11 05:54]
.
2015-03-11 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2015-01-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@= "{472083B0-C522-11CF-8763-00608CC02F24} "
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-09 02:04 634872 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@= "{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17 164016 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif "= "c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"cAudioFilterAgent "= "c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-10-09 508472]
"SynTPEnh "= "c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Acer ePower Management "= "c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 823840]
"Microsoft Pinyin IME Migration "= "c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-26 59248]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
.
------- 而外的扫描 (other scans)-------
.
uStart Page = about:Tabs
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{00B03C7D-93A4-4814-98A9-66351ADEDF84} - res://CITICAP.dll/ConfigByHotIcon
IE: {{00B03C7D-93A4-4814-98A9-66351ADEDF84} - res://CITICAP.dll/ConfigByHotIcon
LSP: c:\program files (x86)\YouKu\YoukuClient\ikutm.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: bankofchina.com\www
Trusted Zone: bankofshanghai.com
Trusted Zone: bankofshanghai.com\ebanks
Trusted Zone: boc.cn\ebs
Trusted Zone: boc.cn\www
Trusted Zone: cfca.com.cn\www
Trusted Zone: ebank.bosit
Trusted Zone: ecitic.com
Trusted Zone: ecitic.com\b2c.bank
Trusted Zone: ecitic.com\creditcard
Trusted Zone: ecitic.com\e.bank
Trusted Zone: ecitic.com\enterprise.bank
Trusted Zone: taobao.com
TCP: DhcpNameServer = 8.8.4.4 4.2.2.4 4.2.2.3
TCP: Interfaces\{C3627550-C014-466F-975A-562836D70C40}: NameServer = 8.8.8.8
DPF: {78E87ACB-656E-4257-961D-3FADBE77A626} - hxxp://wuxizazhi.cnki.net/activex/cajax1.cab
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\x5lifesp.default-1414986831002\
FF - prefs.js: browser.search.defaulturl - hxxps://search.yahoo.com/yhs/search
FF - prefs.js: browser.search.selectedEngine - Yahoo! (Avast)
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/yhs/search
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8580
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{C8CBC109-B04A-4dda-956E-BFFE0360DADD} - (no file)
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
AddRemove-尚书六号表格文字识别系统 - c:\windows\IsUn0804.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06} "=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{9030D464-4C02-4ABF-8ECC-5164760863C6} "=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289} "=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{AA58ED58-01DD-4D91-8333-CF10577473F7} "=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{C37F9D60-975D-41F2-A745-4DC934D319AA} "=hex:51,66,7a,6c,4c,1d,38,12,0e,9e,6c,
c7,6f,d9,9c,04,d8,53,0e,89,31,8d,5d,be
"{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} "=hex:51,66,7a,6c,4c,1d,38,12,3a,a3,f7,
fd,83,a7,ad,0e,fc,b5,35,e1,ab,2d,25,64
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F} "=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp "=hex:93,b3,c2,e3,d0,b8,cf,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,04,e2,3f,e9,80,70,44,b6,49,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,04,e2,3f,e9,80,70,44,b6,49,d9,\
.
[HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"ClientGUID "=hex:00,39,d8,08,d8,eb,b0,49,ba,1a,1f,0f,1c,48,9b,5a
.
[HKEY_USERS\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\SystemFileAssociations\.kux\Shell\O(uOw憿[7b飠 *Sb*_\Command]
@= "\ "c:\\Program Files (x86)\\YouKu\\YoukuClient\\YoukuDesktop.exe\" iku://|explorer|%1| "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@= "c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker6 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@= "0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@= "ShockwaveFlash.ShockwaveFlash.16 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "ShockwaveFlash.ShockwaveFlash "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@= "FlashFactory.FlashFactory.1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "FlashFactory.FlashFactory "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker6 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoukuVideo\Shell\O(uOw憿[7b飠 *Sb*_\Command]
@= "\ "c:\\Program Files (x86)\\YouKu\\YoukuClient\\YoukuDesktop.exe\" iku://|explorer|%1| "
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ 其他运行进程 (Other running processes)------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Smart Driver Updater\SDUTray.exe
c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
完成时间(Time of completion): 2015-03-14 17:28:40 - 电脑已重新启动(Computer has been restarted)
ComboFix-quarantined-files.txt 2015-03-15 00:28
ComboFix2.txt 2015-03-14 16:53
.
Pre-Run: 56,654,516,224 bytes free
Post-Run: 56,067,780,608 bytes free
.
- - End Of File - - 6C1B313F02C73EE9023E01C3E1BACBC4
A36C5E4F47E84449FF07ED3517B43A31

broni · 2015/03/15

Re-run Farbar Recovery Scan Tool (FRST) you ran at the very beginning of this topic.

Double-click to run it. When the tool opens click Yes to disclaimer.

Make sure you checkmark Addition.txt box.

Press Scan button.

Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

jharry · 2015/03/15

The text I entered was too long. I was asked to shorten it to 55000 characters. So I'm submitting the results of the FRST scan separately.

Following is the content of FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by owner (administrator) on GATEWAY-NV54 on 15-03-2015 21:06:35
Running from F:\
Loaded Profiles: owner (Available profiles: owner & fbwuser & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Tongfang Knowledge Network Technology(Beijing) Co., Ltd.) C:\Program Files (x86)\TTKN\CAJVD\CAJSHost.exe
(InterVideo Inc.) C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
() C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Acer Incorporated) C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
(Avanquest Software) C:\Program Files (x86)\Smart Driver Updater\SDUTray.exe
(AnchorFree Inc.) C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe
() C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
(Feitian) C:\Program Files (x86)\ngsrv\ngslotd.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(Acer) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Shenzhen Excelsecu Data Technology Co.,ltd.) C:\Program Files (x86)\BOC\USBKEY II\IBank\BOCUK2IBankMon.exe
(EnterSafe) C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTePass2001\certd_bosh.exe
(EnterSafe) C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTInterPass3000\certd_I3000_SHBANK.exe
() C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_argusec_usbkey\ak300_bosh_certreg.exe
(恒宝股份有限公司) C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_hb_usbkey\bosh_hb_usbkey_plugins.exe
(AnchorFree Inc.) C:\Program Files (x86)\Hotspot Shield\bin\HSSCP.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [508472 2009-10-09] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM\...\Run: [Microsoft Pinyin IME Migration] => C:\Program Files\Common Files\Microsoft Shared\IME12\IMESC\IMSCMIG.EXE [59248 2011-05-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe [244480 2009-09-24] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1094736 2009-11-01] (Dritek System Inc.)
HKLM-x32\...\Run: [Microsoft Pinyin IME Migration] => C:\Program Files (x86)\Common Files\microsoft shared\IME12\IMESC\IMSCMIG.EXE [32112 2011-05-31] (Microsoft Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-02] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BOCUK2IBankMon.exe] => C:\Program Files (x86)\BOC\USBKEY II\IBank\BOCUK2IBankMon.exe [59792 2014-12-12] (Shenzhen Excelsecu Data Technology Co.,ltd.)
HKLM-x32\...\Run: [ePass2001_bosh] => C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTePass2001\certd_bosh.exe [125272 2013-12-15] (EnterSafe)
HKLM-x32\...\Run: [InterPass3000_SHBANK] => C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\FTInterPass3000\certd_I3000_SHBANK.exe [256344 2014-02-10] (EnterSafe)
HKLM-x32\...\Run: [AK300_bosh] => C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_argusec_usbkey\ak300_bosh_certreg.exe [357744 2013-11-14] ()
HKLM-x32\...\Run: [HengBao UranuSafe CSP V3.0 For SHBANK] => C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_hb_usbkey\bosh_hb_usbkey_plugins.exe [216952 2014-02-24] (恒宝股份有限公司)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-669636167-3881197016-1759864487-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31087200 2015-01-22] (Skype Technologies S.A.)
HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> c:\windows\system32\Gateway.SCR [442368 2009-07-30] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=AV01
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://www.bing.com/search?FORM=U039DF&PC=U039&dt=071013&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> 99B2053569C04989B01B12CECA3CC99E URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_33_ie&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyBtAyByDtBtA0A0BtByCtN0D0Tzu0SzyyDzztN1L2XzutAtFtCtFtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyD0FtCtA0AtBtBzztG0BtDzyyCtGyC0DyEzytG0AzztB0BtGtAzy0CzzyE0Bzy0FzztC0CyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByE0A0C0D0F0C0DtGzzyDzy0EtGyE0Bzy0BtG0AzytA0EtGzy0C0EyB0AtByD0A0FyE0E0C2Q&cr=1677618460&ir=
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS358US358
SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://www.bing.com/search?FORM=U039DF&PC=U039&dt=071013&q={searchTerms}&src=IE-SearchBox
BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-08-31] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2014-07-08] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-08-31] (Oracle Corporation)
BHO: No Name -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> No File
BHO-x32: Virtual Account Numbers Helper -> {17424104-1444-4810-85D7-B4DA413C5A9A} -> C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll [2014-01-07] (Orbiscom Ltd. All rights reserved.)
BHO-x32: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-07-08] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-02-28] (Google Inc.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
BHO-x32: CITICS ProcessProtect Class -> {C37F9D60-975D-41f2-A745-4DC934D319AA} -> C:\Windows\SysWOW64\CITICSPP.dll [2010-12-16] (www.ISRA.org.cn)
BHO-x32: No Name -> {C8CBC109-B04A-4dda-956E-BFFE0360DADD} -> No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
Toolbar: HKLM-x32 - Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll [2014-01-07] (Orbiscom Ltd. All rights reserved.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-02-28] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
DPF: HKLM-x32 {78E87ACB-656E-4257-961D-3FADBE77A626} http://wuxizazhi.cnki.net/activex/cajax1.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-01] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
Winsock: Catalog9 01 C:\Program Files (x86)\YouKu\YoukuClient\ikutm.dll [94976] (youku.com)
Winsock: Catalog9 02 C:\Program Files (x86)\YouKu\YoukuClient\ikutm.dll [94976] (youku.com)
Winsock: Catalog9 13 C:\Program Files (x86)\YouKu\YoukuClient\ikutm.dll [94976] (youku.com)
Winsock: Catalog5-x64 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C3627550-C014-466F-975A-562836D70C40}: [NameServer] 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\x5lifesp.default-1414986831002
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchEngine.US: Google
FF DefaultSearchUrl: https://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: about:home
FF Keyword.URL: https://search.yahoo.com/yhs/search
FF NetworkProxy: "http ", "127.0.0.1 "
FF NetworkProxy: "http_port ", 8580
FF NetworkProxy: "no_proxies_on ", " "
FF NetworkProxy: "type ", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-28] ()
FF Plugin: @alipay.com/npAliInetHealth -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAlipaydhc64.dll No File
FF Plugin: @alipay.com/npAliSecCtrl -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAliSecCtrl64.dll No File
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-31] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-08-31] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-28] ()
FF Plugin-x32: @alipay.com/npalidcp -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npalidcp.dll No File
FF Plugin-x32: @alipay.com/npaliedit -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npaliedit.dll No File
FF Plugin-x32: @alipay.com/npAliInetHealth -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAlipaydhc.dll No File
FF Plugin-x32: @alipay.com/npAliSecCtrl -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAliSecCtrl.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @cfca.com/npCryptoKit.BOC.x86,version=3.4.0.5 -> C:\Windows\system32\npCryptoKit.BOC.x86.dll No File
FF Plugin-x32: @cfca.com/SecEditCtl.BOC,version=1.0.0.9 -> C:\Windows\system32\npSecEditCtl.BOC.x86.dll No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2013-07-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-07-15] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @real.com/nppl3260;version=17.0.9.17 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll [2014-04-15] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=17.0.9 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2014-04-06] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.9 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2014-04-06] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=17.0.9 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2014-04-06] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=17.0.9.17 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll [2014-04-15] (RealPlayer Cloud)
FF Plugin-x32: @silveraegis.cn/isecurity-bosh,version=2.4.8.0 -> C:\Program Files (x86)\BOSH IBS Security Suite 2.4 For Personal\npisecurity-bosh.dll [2013-01-20] (北京银盾思创网络技术有限公司)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-27] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin-x32: CAJAX -> C:\Program Files (x86)\Common Files\TTKN\Bin\npcajax.dll [2012-10-11] (Tongfang Knowledge Network Technology Co., Ltd (Beijing))
FF Plugin HKU\S-1-5-21-669636167-3881197016-1759864487-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-669636167-3881197016-1759864487-1000: @talk.google.com/O1DPlugin -> C:\Users\owner\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-669636167-3881197016-1759864487-1000: @tools.google.com/Google Update;version=3 -> C:\Users\owner\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin HKU\S-1-5-21-669636167-3881197016-1759864487-1000: @tools.google.com/Google Update;version=9 -> C:\Users\owner\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppl3260.dll [2014-04-15] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2014-10-26] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2014-10-26] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2014-10-26] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2014-10-26] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2014-10-26] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprpplugin.dll [2014-04-15] (RealPlayer Cloud)
FF Plugin ProgramFiles/Appdata: C:\Users\owner\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\owner\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF SearchPlugin: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\x5lifesp.default-1414986831002\searchplugins\yahoo-avast.xml [2015-01-11]
FF Extension: Hotspot Shield Helper (Please allow this installation) - C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com [2015-03-05]
FF Extension: Hotspot Shield Extension - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\afproxy@anchorfree.com [2015-03-05]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-03-05]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-07-09]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-04-15]
FF HKLM-x32\...\Firefox\Extensions: [{53D8DD28-1C83-41F3-B171-C2ED5B3E5DE8}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM-x32\...\Firefox\Extensions: [citius@orbiscom] - C:\Program Files (x86)\Virtual Account Numbers
FF Extension: Virtual Account Numbers for Firefox - C:\Program Files (x86)\Virtual Account Numbers [2014-09-09]
FF HKU\S-1-5-21-669636167-3881197016-1759864487-1000\...\Firefox\Extensions: [dict@www.youdao.com] - C:\Program Files (x86)\Youdao\Dict4\stable\extensions\firefox
FF Extension: Youdao Word Capturer - C:\Program Files (x86)\Youdao\Dict4\stable\extensions\firefox [2013-09-20]

Chrome:
=======
CHR HomePage: Default -> www.google.com
CHR StartupUrls: Default -> "https://www.yahoo.com/?fr=hp-avast&type=agc511 "
CHR DefaultSearchKeyword: Default -> www.yahoo.com
CHR DefaultSearchURL: Default -> https://search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}
CHR DefaultSuggestURL: Default -> http://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}
CHR Profile: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (有道词典Chrome鼠标取词插件) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohddidmgooofkgohkbkaohadkolgejj [2013-09-12]
CHR Extension: (Google Docs) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-12]
CHR Extension: (Google Drive) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-08]
CHR Extension: (YouTube) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-12]
CHR Extension: (Google Search) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-12]
CHR Extension: (Avast Online Security) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-08-10]
CHR Extension: (RealPlayer Downloader) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-09-12]
CHR Extension: (Skype Click to Call) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-03-02]
CHR Extension: (Google Wallet) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-12]
CHR Extension: (Gmail) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-12]
CHR HKLM-x32\...\Chrome\Extension: [aohddidmgooofkgohkbkaohadkolgejj] - C:\Program Files (x86)\Youdao\Dict4\stable\YDChromeTextExtractor.crx [2013-09-20]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-08]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2014-04-06]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-08] (AVAST Software)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 CAJ Service Host; C:\Program Files (x86)\TTKN\CAJVD\CAJSHost.exe [69040 2012-05-29] (Tongfang Knowledge Network Technology(Beijing) Co., Ltd.)
R2 Capture Device Service; C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe [198168 2007-03-05] (InterVideo Inc.)
R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [263232 2014-01-09] ()
R2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [919040 2014-05-16] (AnchorFree Inc.) [File not signed]
S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-05-16] ()
R2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [430344 2014-05-16] ()
S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
R2 ngSlotD; C:\Program Files (x86)\ngsrv\ngslotd.exe [181624 2012-06-13] (Feitian)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
R2 NitroReaderDriverReadSpool; C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [341296 2011-01-28] (Nitro PDF Software)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-04-06] ()
R2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-04-15] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-04-06] () [File not signed]
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 DeviceHealth; "C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe" [X]
S2 pcas; "C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe" [X]
S2 RealtekUSB; C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [X]
S2 secbizsrv; "C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-08] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-08] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-08] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-11-21] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-08] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-08] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-08] ()
S3 CXIR; C:\Windows\System32\drivers\cxcir.sys [43520 2011-02-15] (Conexant Systems, Inc.)
S3 CXPOLARIS; C:\Windows\System32\drivers\GTATSC.sys [231808 2011-02-13] (Geniatech Systems, Inc.)
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [243200 2009-10-21] (Huawei Technologies Co., Ltd.)
S3 hitmanpro35; No ImagePath
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-05-16] (AnchorFree Inc.)
S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
R2 PECKbdProtector; C:\Windows\system32\drivers\PECKP_x64.SYS [53088 2014-12-13] (CSII)
S3 ProtectorA; C:\Windows\system32\drivers\ProtectorA.sys [22672 2012-01-11] (www.ISRA.org.cn)
S3 ProtectorA; C:\Windows\SysWOW64\drivers\ProtectorA.sys [20112 2010-12-16] (www.ISRA.org.cn)
R3 R6BaseSmc; C:\Windows\System32\DRIVERS\smccarda.sys [24360 2012-06-13] (OEM)
R3 R6BaseSmc; C:\Windows\SysWOW64\DRIVERS\smccarda.sys [14464 2011-05-28] (OEM)
S2 ROCKEYNT; C:\Windows\SysWOW64\drivers\Rockeynt.sys [18223 2012-12-31] (FeiTian Tech Co.,Ltd) [File not signed]
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-15 20:50 - 2015-03-15 20:50 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000
2015-03-15 20:50 - 2015-03-15 20:50 - 00003214 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000
2015-03-14 17:28 - 2015-03-14 17:28 - 00029714 _____ () C:\ComboFix.txt
2015-03-14 09:19 - 2011-06-25 23:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-03-14 09:19 - 2010-11-07 10:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-03-14 09:19 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-03-14 09:19 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-03-14 09:19 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-03-14 09:19 - 2000-08-30 17:00 - 00098816 _____ () C:\Windows\sed.exe
2015-03-14 09:19 - 2000-08-30 17:00 - 00080412 _____ () C:\Windows\grep.exe
2015-03-14 09:19 - 2000-08-30 17:00 - 00068096 _____ () C:\Windows\zip.exe
2015-03-14 09:11 - 2015-03-14 17:28 - 00000000 ____D () C:\Qoobox
2015-03-14 09:10 - 2015-03-14 17:17 - 00000000 ____D () C:\Windows\erdnt
2015-03-14 09:07 - 2015-03-14 09:07 - 05615380 ____R (Swearware) C:\Users\owner\Desktop\ComboFix.exe
2015-03-12 15:10 - 2015-03-12 15:42 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-03-12 15:08 - 2015-03-12 15:42 - 00000000 ____D () C:\Users\owner\Desktop\mbar
2015-03-12 14:29 - 2015-03-12 14:34 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-12 14:29 - 2015-03-12 14:31 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-10 20:33 - 2015-03-10 20:33 - 00000000 ____D () C:\Users\owner\AppData\Roaming\dlg
2015-03-10 20:30 - 2015-03-12 13:46 - 00003252 _____ () C:\Windows\System32\Tasks\Smart Driver Updater Schedule
2015-03-10 20:30 - 2015-03-10 20:30 - 00000000 ____D () C:\Users\owner\Documents\Smart Driver Updater
2015-03-10 20:17 - 2015-03-12 13:46 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Smart Driver Updater
2015-03-10 20:17 - 2015-03-10 20:17 - 00001108 _____ () C:\Users\owner\Desktop\Smart Driver Updater.lnk
2015-03-10 20:17 - 2015-03-10 20:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Driver Updater
2015-03-10 20:17 - 2015-03-10 20:17 - 00000000 ____D () C:\Program Files (x86)\Smart Driver Updater
2015-03-05 02:16 - 2015-03-05 02:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-03 18:39 - 2015-03-14 17:18 - 00022650 _____ () C:\Windows\PFRO.log
2015-03-02 00:51 - 2015-03-15 20:53 - 00046459 _____ () C:\Windows\WindowsUpdate.log
2015-03-01 18:46 - 2015-03-15 20:48 - 00003092 _____ () C:\Windows\setupact.log
2015-03-01 18:46 - 2015-03-01 18:46 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-28 18:07 - 2015-02-28 18:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-02-28 02:48 - 2015-02-28 02:48 - 00000055 _____ () C:\Windows\SysWOW64\msxkwn.vxp
2015-02-27 21:58 - 2015-02-27 21:58 - 00000000 ____D () C:\Windows\system32\config\HiveBackup
2015-02-27 16:32 - 2015-02-27 16:32 - 00000000 ____D () C:\Users\owner\AppData\Local\FeedbackRpt
2015-02-27 16:31 - 2015-02-28 02:59 - 00000000 ____D () C:\Users\owner\Documents\TAXACT 2014
2015-02-27 16:30 - 2015-03-12 14:55 - 00000000 ____D () C:\TaxACT
2015-02-27 16:30 - 2015-02-28 00:19 - 00000049 _____ () C:\Windows\TaxACT14.ini
2015-02-27 16:30 - 2015-02-27 16:30 - 00001603 _____ () C:\Users\Public\Desktop\TaxACT 2014.lnk
2015-02-27 16:30 - 2015-02-27 16:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TaxACT
2015-02-27 07:10 - 2015-02-27 07:10 - 00000000 ____D () C:\Users\Public\Documents\Screensaver
2015-02-27 06:17 - 2015-02-27 06:17 - 00025840 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0.bak
2015-02-27 06:17 - 2015-02-27 06:17 - 00025840 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0.bak
2015-02-27 06:17 - 2015-02-27 06:17 - 00000552 _____ () C:\Windows\system32\spsys.log
2015-02-26 22:57 - 2015-03-15 21:06 - 00000000 ____D () C:\FRST
2015-02-22 23:57 - 2015-02-22 23:57 - 00024576 _____ () C:\BCD_Backup
2015-02-22 23:57 - 2015-02-22 23:57 - 00021504 ___SH () C:\BCD_Backup.LOG

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-15 21:07 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\tracing
2015-03-15 21:05 - 2010-03-07 12:32 - 00000000 ____D () C:\Users\owner\AppData\Roaming\HaoZip
2015-03-15 21:05 - 2009-12-19 22:11 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Skype
2015-03-15 21:04 - 2009-07-13 22:13 - 00726270 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-15 20:57 - 2009-07-13 21:45 - 00006560 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-15 20:57 - 2009-07-13 21:45 - 00006560 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-15 20:48 - 2013-09-12 17:15 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-15 20:48 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-15 07:14 - 2012-04-07 07:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-14 21:08 - 2011-10-15 05:04 - 00000000 ____D () C:\Users\owner\Documents\wusimei
2015-03-14 17:19 - 2009-07-13 19:34 - 00000215 _____ () C:\Windows\system.ini
2015-03-14 17:17 - 2009-07-13 19:34 - 86507520 _____ () C:\Windows\system32\config\SOFTWARE.bak
2015-03-14 17:17 - 2009-07-13 19:34 - 29884416 _____ () C:\Windows\system32\config\SYSTEM.bak
2015-03-14 17:17 - 2009-07-13 19:34 - 00532480 _____ () C:\Windows\system32\config\DEFAULT.bak
2015-03-14 17:17 - 2009-07-13 19:34 - 00061440 _____ () C:\Windows\system32\config\SAM.bak
2015-03-14 17:17 - 2009-07-13 19:34 - 00028672 _____ () C:\Windows\system32\config\SECURITY.bak
2015-03-14 16:37 - 2010-01-06 22:22 - 00008456 ___SH () C:\ProgramData\KGyGaAvL.sys
2015-03-14 09:41 - 2009-07-13 20:20 - 00000000 __RSD () C:\Windows\Media
2015-03-14 09:04 - 2010-09-21 21:47 - 00000000 ____D () C:\Program Files (x86)\Free Video Converter
2015-03-14 08:34 - 2015-01-29 17:24 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-14 08:31 - 2013-09-12 17:15 - 00002150 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-14 08:22 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-12 21:27 - 2012-02-20 16:19 - 00000000 ____D () C:\Users\owner\Documents\temp
2015-03-12 15:09 - 2015-01-29 17:24 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-12 09:32 - 2011-12-04 21:54 - 00000000 ____D () C:\Users\owner\Documents\SJU
2015-03-10 18:00 - 2010-02-28 17:47 - 00000466 _____ () C:\Windows\Tasks\ParetoLogic Registration.job
2015-03-10 17:46 - 2011-10-12 16:58 - 00000000 ____D () C:\Users\owner\Documents\worldschool
2015-03-08 21:30 - 2012-12-10 22:54 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job
2015-03-06 01:24 - 2011-04-22 01:15 - 00000000 ____D () C:\Users\owner\AppData\Roaming\vlc
2015-03-05 23:20 - 2012-12-10 22:54 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job
2015-03-05 17:01 - 2012-10-04 06:55 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-05 06:16 - 2014-03-18 20:00 - 00000000 ____D () C:\Users\owner\Documents\tax
2015-03-03 18:39 - 2013-03-13 21:58 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-03-03 18:39 - 2013-03-13 21:58 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-03-02 00:56 - 2013-07-20 13:25 - 00001114 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-03-02 00:56 - 2012-10-04 06:55 - 00001126 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-03-02 00:51 - 2013-03-13 22:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-03-02 00:15 - 2009-12-18 15:55 - 00133024 _____ () C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-02 00:13 - 2009-07-13 21:45 - 00501024 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-01 18:10 - 2010-01-28 17:06 - 00000000 ____D () C:\Users\owner\Documents\registry_backup
2015-02-28 18:08 - 2013-03-23 19:08 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-02-28 18:07 - 2014-03-16 20:13 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-02-28 18:07 - 2009-12-19 22:11 - 00000000 ____D () C:\ProgramData\Skype
2015-02-28 08:15 - 2012-04-07 07:57 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-28 08:15 - 2012-04-07 07:57 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-28 08:15 - 2011-05-14 17:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-27 06:25 - 2013-09-12 17:15 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-27 06:25 - 2013-09-12 17:15 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-27 06:25 - 2013-09-12 17:15 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

==================== Files in the root of some directories =======

2010-01-30 16:33 - 2002-08-09 00:40 - 0153088 _____ () C:\Program Files (x86)\UNWISE.EXE
2012-09-07 08:31 - 2013-12-10 02:41 - 0000074 _____ () C:\Users\owner\AppData\Roaming\albumcart.xml
2014-12-05 19:36 - 2014-12-05 19:36 - 0001078 _____ () C:\Users\owner\AppData\Roaming\base64.cer
2011-04-05 00:13 - 2012-05-15 19:15 - 0000915 _____ () C:\Users\owner\AppData\Roaming\coreavc.ini
2012-10-10 17:32 - 2012-10-10 17:32 - 0004786 _____ () C:\Users\owner\AppData\Roaming\info.ini
2012-09-07 08:30 - 2013-12-10 02:37 - 0000004 _____ () C:\Users\owner\AppData\Roaming\LastUser.ini
2012-09-07 08:31 - 2014-12-31 13:16 - 0000074 _____ () C:\Users\owner\AppData\Roaming\shoppingcart.xml
2014-08-28 14:56 - 2015-01-29 01:27 - 0000191 _____ () C:\Users\owner\AppData\Roaming\WB.CFG
2011-09-07 21:42 - 2015-01-27 17:14 - 0005120 _____ () C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-16 18:27 - 2014-12-16 18:27 - 0000010 _____ () C:\Users\owner\AppData\Local\DSI.DAT
2012-05-30 16:15 - 2014-10-19 07:47 - 0007608 _____ () C:\Users\owner\AppData\Local\resmon.resmoncfg
2012-05-22 16:42 - 2012-05-22 16:42 - 0000000 _____ () C:\ProgramData\-HH1OSz4vwGp6zb
2012-05-22 16:42 - 2012-05-22 16:42 - 0000168 _____ () C:\ProgramData\-HH1OSz4vwGp6zbr
2014-03-18 20:13 - 2014-03-18 20:13 - 0000057 _____ () C:\ProgramData\Ament.ini
2009-12-19 22:15 - 2009-12-19 22:15 - 0000056 _____ () C:\ProgramData\ezsidmv.dat
2012-05-22 16:42 - 2012-05-22 16:42 - 0000256 _____ () C:\ProgramData\HH1OSz4vwGp6zb
2010-01-06 22:22 - 2015-03-14 16:37 - 0008456 ___SH () C:\ProgramData\KGyGaAvL.sys

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-03-01 16:37

==================== End Of Log ============================

jharry · 2015/03/15

Following is the content of Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by owner at 2015-03-15 21:08:00
Running from F:\
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Disabled - Up to date) {3F839487-C7A2-C958-E30C-E2825BA31FB5}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
AS: Microsoft Security Essentials (Disabled - Up to date) {84E27563-E198-C6D6-D9BC-D9F020245508}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

2007 Microsoft Office Suite Service Pack 1 (SP1) (x32 Version: - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.7.0.1860 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Photoshop CS (HKLM-x32\...\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}) (Version: CS - Adobe Systems, Inc.)
Adobe Photoshop CS3 10.0 中文版 (HKLM-x32\...\Adobe Photoshop CS3_is1) (Version: - )
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
AML Free Registry Cleaner 4.25 (HKLM-x32\...\{315F5FFC-1A5C-4A2A-B8E7-1C5B1174C198}_is1) (Version: - AML SOFT, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{447CDCE5-F555-429B-BFA6-642C3C6D684F}) (Version: 3.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0DF7096B-715A-4233-8633-C7A16ED6D616}) (Version: 3.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft TotalMedia 3.5 (HKLM-x32\...\{29E44E9D-ACB2-4D2D-849F-5361C941B7E1}) (Version: 3.5.7.282 - ArcSoft)
Audacity 1.3.13 (Unicode) (HKLM-x32\...\Audacity 1.3 Beta (Unicode)_is1) (Version: - Audacity Team)
avast! Free Antivirus (HKLM-x32\...\avast) (Version: 9.0.2021 - AVAST Software)
Backup Manager Basic (x32 Version: 2.0.0.29 - NewTech Infosystems) Hidden
Bank Of ShangHai IBS Security Suite For Personal v2.4.8.0 (HKLM-x32\...\{05CDEF69-DF18-4C23-B6D5-094E3BFE7D38}_is1) (Version: 2.4.8.0 - CSII)
Bank of ShangHai Manager (Remove only) (HKLM-x32\...\ePass2001-4FE7-A218-48BDAE051E2B_bosh) (Version: - )
BOCNET Security Applet 2.1 (HKLM\...\BOCNET Security Applet_is1) (Version: - Bank of China, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CAJViewer (HKLM-x32\...\{38CE8FAD-2E31-4CA8-B671-1BA7A8A54B28}) (Version: 7.2 - TTKN)
Canon CanoScan Toolbox 5.0 (HKLM-x32\...\CanoScan Toolbox 5.0) (Version: - )
CanoScan LiDE 600F (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4802) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 3.01 - Piriform)
CITIC B2C PayGate v3.0.1.0506 (HKLM-x32\...\CNCBPayCtl_is1) (Version: 3.0.1.0506 - CHINA CITIC BANK CORPORATION LIMITED)
CITIC ibanking USBKey driver-FTSAFE(epass2000) v1.0.11.1017 (HKLM-x32\...\4673551D-CITIC-4FE7-A218-48BDAE051E2B_std) (Version: 1.0.11.1017 - )
CITIC ibanking USBKey driver-GI-DE(starkey220) v1.0.11.1020 (HKLM-x32\...\4673551D-CITIC-4FE7-A218-48BDAE051E2B_GD) (Version: 1.0.11.1020 - )
CITIC pibanking file certificate safebox v1.0.1.0119 (HKLM-x32\...\CNCBSafePkg_is1) (Version: 1.0.1.0119 - CHINA CITIC BANK CORPORATION LIMITED)
CITIC pibanking safe driver v1.0.8.0119 (HKLM-x32\...\CNCBSecPkg_is1) (Version: 1.0.8.0119 - CHINA CITIC BANK CORPORATION LIMITED)
CloudReading (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 1.1.59.109 - Foxit Corporation)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.98.9.0 - Conexant)
Contents (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
Contents (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
Corel DVD MovieFactory (x32 Version: 7.0.0 - Corel Corporation) Hidden
Corel DVD MovieFactory 7 SE (HKLM-x32\...\InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}) (Version: 7.0.0 - Corel Corporation)
Corel VideoStudio Pro X3 (HKLM-x32\...\_{F072CA07-A781-45E4-9975-C033A73019CF}) (Version: 1.6.2.69 - Corel Corporation)
CyberLink Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.3108 - CyberLink Corp.)
CyberLink PowerDVD 8 (HKLM-x32\...\InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}) (Version: 8.0.3402 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DeviceIO (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
Driver Install 64-Bit (HKLM-x32\...\InstallShield_{AA107568-1B58-407E-9867-D51F71C9F446}) (Version: 6.1.1229.0 - None)
Driver Install 64-Bit (x32 Version: 6.1.1229.0 - None) Hidden
Dropbox (HKU\S-1-5-21-669636167-3881197016-1759864487-1000\...\Dropbox) (Version: 2.0.26 - Dropbox, Inc.)
eBay Worldwide (HKLM-x32\...\{E0B19DF7-B1C7-4937-82C4-0E4B1E346965}) (Version: 2.1.0901 - OEM)
Free Video Converter V 3.1 (HKLM-x32\...\Free Video Converter_is1) (Version: 3.1.0.0 - Koyote Soft)
FreeOCR v4.2 (HKLM-x32\...\freeocr_is1) (Version: - )
FVD Suite 3.0.0 (HKLM-x32\...\{80E4B2D6-BFF2-402C-96C4-3942DF24CABB}_is1) (Version: - flashvideodownloader.org)
Gateway Games (HKLM-x32\...\WildTangent gateway Master Uninstall) (Version: 1.0.0.71 - WildTangent)
Gateway InfoCentre (HKLM-x32\...\Gateway InfoCentre) (Version: 3.02.3000 - Gateway Incorporated)
Gateway MyBackup (HKLM-x32\...\InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}) (Version: 2.0.0.29 - NewTech Infosystems)
Gateway Power Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 4.05.3004 - Gateway Incorporated)
Gateway Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3005 - Gateway Incorporated)
Gateway Registration (HKLM-x32\...\Gateway Registration) (Version: 1.02.3006 - Gateway Incorporated)
Gateway ScreenSaver (HKLM-x32\...\Gateway Screensaver) (Version: 1.6.0730 - Gateway Incorporated)
Gateway Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.01.3017 - Gateway Incorporated)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.89 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
HaoZip (HKLM\...\HaoZip) (Version: v2.8 - Ruichuang Network Technology Co.,Ltd)
HDAUDIO Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_HDA_HSF) (Version: 7.80.4.56 - Conexant Systems)
Hotspot Shield 3.42 (HKLM-x32\...\HotspotShield) (Version: 3.42 - AnchorFree Inc.)
HP Deskjet 1000 J110 series Basic Device Software (HKLM\...\{A3E89C5B-BB3A-433A-A878-D1310BB13EAD}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
ICA (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
ICA (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3002 - Gateway Incorporated)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1892 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version: - Intel Corporation)
InterVideo DeviceService (HKLM-x32\...\{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}) (Version: 1.0.0 - InterVideo)
IPM_VS_Pro (x32 Version: 13.0 - Corel Corporation) Hidden
IPM_VS_Pro (x32 Version: 15.0 - Corel Corporation) Hidden
ISCOM (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Java 7 Update 67 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417067FF}) (Version: 7.0.670 - Oracle)
jTTS 5.0 Desktop (HKLM-x32\...\{4B1FB4D5-F4F5-4897-8251-071AACED33E8}) (Version: 5.0 - SinoVoice)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 8.7.0 (Basic) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 8.7.0 - )
LAME v3.98.3 for Audacity (HKLM-x32\...\LAME for Audacity_is1) (Version: - )
Launch Manager (HKLM-x32\...\LManager) (Version: 3.0.04 - Gateway)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft Office Excel 2007 Help 更新 (KB963678) (HKLM-x32\...\{90120000-0016-0804-0000-0000000FF1CE}_PROPLUS_{CECF0828-8F1F-4205-86B9-61683BAF0321}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Outlook 2007 Help 更新 (KB963677) (HKLM-x32\...\{90120000-001A-0804-0000-0000000FF1CE}_PROPLUS_{CB739C4F-6ABE-4CB2-BC90-57583893094F}) (Version: - Microsoft)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-007A-0409-0000-0000000FF1CE}) (Version: 14.0.5118.5000 - Microsoft Corporation)
Microsoft Office Powerpoint 2007 Help 更新 (KB963669) (HKLM-x32\...\{90120000-0018-0804-0000-0000000FF1CE}_PROPLUS_{833A1F95-EEEB-47D3-B13F-3243AB2E7FA5}) (Version: - Microsoft)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 (HKLM-x32\...\SharePointDesigner) (Version: 12.0.6215.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1) (HKLM-x32\...\{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{37180755-CA2B-40AD-9637-89FB0CE7CB36}) (Version: - Microsoft)
Microsoft Office Word 2007 Help 更新 (KB963665) (HKLM-x32\...\{90120000-001B-0804-0000-0000000FF1CE}_PROPLUS_{53A3BCC0-3278-4729-8718-D17DEC19DE48}) (Version: - Microsoft)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM\...\{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM-x32\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
MLE (x32 Version: 1.0.0.23 - Corel Corporation) Hidden
Mobile Partner (HKLM-x32\...\Mobile Partner) (Version: 15.001.05.01.631 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 36.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 36.0.1 (x86 en-US)) (Version: 36.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 36.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-669636167-3881197016-1759864487-1000\...\MyFreeCodec) (Version: - )
Nitro PDF Reader (HKLM\...\{6E6D8C68-297D-4F09-9885-C649CA12E4A5}) (Version: 1.4.0.11 - Nitro PDF Software)
npCryptoKit.BOC.x86 (only remove) (HKLM-x32\...\npCryptoKit.BOC.x863004005) (Version: - CFCA)
OpenOffice.org 3.0 (HKLM-x32\...\{F44DA61E-720D-4E79-871F-F6E628B33242}) (Version: 3.0.9358 - OpenOffice.org)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PowerVideoMaker Professional 5.0 (HKLM-x32\...\PowerVideoMaker Professional_is1) (Version: 5.0 - Presentersoft)
PureHD (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
RealDownloader (x32 Version: 17.0.9 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (x32 Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (x32 Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer Cloud (HKLM-x32\...\RealPlayer 17.0) (Version: 17.0.9 - RealNetworks)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7100.30093 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver and Utility (HKLM-x32\...\{0DF70CB6-553A-4C57-8E6D-87635EECFB78}) (Version: 1.00.0145 - REALTEK Semiconductor Corp.)
REALTEK Wireless LAN Driver and Utility (HKLM-x32\...\{BE686891-3C56-4714-AFEF-341A7867BA80}) (Version: 1.00.0145 - REALTEK Semiconductor Corp.)
RealUpgrade 1.1 (x32 Version: 1.1.0 - RealNetworks, Inc.) Hidden
Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
Regi (Version: 1.00.0000 - InterVideo Inc.) Hidden
Revo Uninstaller 1.92 (HKLM-x32\...\Revo Uninstaller) (Version: 1.92 - VS Revo Group)
Runtime (x32 Version: 1.00.0000 - Your Company Name) Hidden
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.3.14044.14 - Samsung Electronics Co., Ltd.)
Samsung Kies (x32 Version: 2.6.3.14044.14 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.43.0 - SAMSUNG Electronics Co., Ltd.)
SecEditCtl.BOC (only remove) (HKLM-x32\...\SecEditCtl.BOC01000009) (Version: - CFCA)
Setup (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
Setup (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
Share (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
Share (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
Share64 (Version: 1.6.0.367 - Corel Corporation) Hidden
Share64 (Version: 15.0.0.258 - Corel Corporation) Hidden
SHBANK Manager Uninstall (Remove only) (HKLM-x32\...\InterPass3000-4b91-90CB-F11EFF6DE18D_SHBANK) (Version: - )
SHOCR70 (HKLM-x32\...\{4B9AADC2-2433-46A3-AE13-3A2CC0DF42FE}) (Version: - )
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 7.1 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.1.105 - Skype Technologies S.A.)
Smart Driver Updater v3.2 (HKLM-x32\...\Smart Driver Updater_is1) (Version: 3.2 - Avanquest Software)
SmartSound Common Data (HKLM-x32\...\InstallShield_{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}) (Version: 1.1.0 - SmartSound Software Inc.)
SmartSound Common Data (x32 Version: 1.1.0 - SmartSound Software Inc.) Hidden
SmartSound Quicktracks 5 (HKLM-x32\...\InstallShield_{2F8BA3FD-1FA9-4279-B696-712ABB12F09F}) (Version: 5.1.6 - SmartSound Software Inc.)
SmartSound Quicktracks 5 (x32 Version: 5.1.6 - SmartSound Software Inc.) Hidden
Sony USB Driver (HKLM-x32\...\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}) (Version: 2.00 - Sony Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 14.0.6.0 - Synaptics Incorporated)
TaxACT 2014 - 1040 Edition (HKLM-x32\...\TaxACT 2014 - 1040 Edition) (Version: 1.03 - TaxACT, Inc.)
U3Launcher (HKLM-x32\...\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}) (Version: 1.0.0 - U3)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
UpdateService (x32 Version: 1.0.0 - RealNetworks, Inc.) Hidden
Video Web Camera (HKLM-x32\...\{6D9021DC-CF1B-4148-8C80-6D8E8A8A33EB}) (Version: 0.5.13.1 - SuYin)
VIO (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
Virtual Account Numbers (HKLM-x32\...\{DE700910-58F7-4D2E-B7E6-3BA2DA1B6806}) (Version: 4.0.0.2253 - Citi)
Virtual Account Numbers (x32 Version: 1.0.6.0 - Citi) Hidden
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
VSClassic (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
VSClassic (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
VSHelp (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
VSPro (x32 Version: 1.6.0.367 - Corel Corporation) Hidden
VSPro (x32 Version: 15.0.0.258 - Corel Corporation) Hidden
Welcome Center (HKLM-x32\...\Gateway Welcome Center) (Version: 1.00.3009 - Gateway Incorporated)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM-x32\...\Windows Media Encoder 9) (Version: - )
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1) (Version: 4.2.3972 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.3972 - Zinio LLC) Hidden
中信银行网上银行安全增强控件 v1.1.0.0 (HKLM-x32\...\CNCBGuard_is1) (Version: 1.1.0.0 - CHINA CITIC BANK CORPORATION LIMITED)
中信银行网银伴侣 V2.0 (HKLM-x32\...\CiticPersonHelpmate_is1) (Version: 2.0.0.0 - CHINA CITIC BANK CORPORATION LIMITED)
中国银行网上银行安全控件 1.5 (HKLM-x32\...\中国银行网上银行安全控件_is1) (Version: - Bank of China, Inc.)
中行网银USBKey数字安全证书管理工具 (HKLM-x32\...\BOCNetBankExcelsecuTool) (Version: 1.0.1.196 - Shenzhen Excelsecu Data Technology Co.,ltd.)
优酷客户端 (HKLM-x32\...\YoukuClient) (Version: 4.6.0.4221 - youkutudou, Inc.)
光影看图 (HKLM-x32\...\光影看图) (Version: - 迅雷网络技术有限公司)
光影魔术手 (HKLM-x32\...\光影魔术手) (Version: - 迅雷网络技术有限公司)
好压 v1.5(Build 3087) (HKLM-x32\...\HaoZip) (Version: v1.5(Build 3087) - 好压软件工作室)
尚书六号表格文字识别系统 (HKLM-x32\...\尚书六号表格文字识别系统) (Version: - )
微软设备健康助手 (HKLM-x32\...\{2EAC4B0F-6E44-4FF6-AA5E-5D100F2BAA59}) (Version: 1.0.23.0 - Microsoft Corporation)
有道词典 (HKLM-x32\...\有道词典) (Version: 4.4 - 网易公司)
福昕阅读器 (HKLM-x32\...\Foxit Reader_is1) (Version: 6.1.3.124 - 福昕软件开发股份有限公司)
美图馆客户端 (HKLM\...\{37F5BABF-D1D5-4B9F-94F2-528CE3E42926}) (Version: 1.1.4 - 美图馆)
词霸2011Beta版 (HKLM-x32\...\PowerWordPE) (Version: 2011.01.24.018 - Kingsoft corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\owner\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\owner\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-669636167-3881197016-1759864487-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll (Dropbox, Inc.)

==================== Restore Points =========================

28-02-2015 05:09:29 Windows Backup
12-03-2015 14:52:57 Before New Anti-virus check
14-03-2015 09:20:09 ComboFix created restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2015-03-14 17:19 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0465E15E-B9F2-4FBD-BF53-52A1C25564B5} - System32\Tasks\Smart Driver Updater Schedule => C:\Program Files (x86)\Smart Driver Updater\SDUTray.exe [2014-06-27] (Avanquest Software)
Task: {114F8952-8099-488E-868C-E7558D47238C} - System32\Tasks\{950F738E-AC2D-40F1-8034-F6233EBF9CDE} => pcalua.exe -a "D:\会声会影12 官方中文版\setup.exe" -d "D:\会声会影12 官方中文版 "
Task: {17B7E553-E0DF-43A7-A486-8BE7396A9433} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-09-12] (Google Inc.)
Task: {1910F3A8-F716-456E-A747-65BBB87984CB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-09-12] (Google Inc.)
Task: {1A450A26-FC75-4FA4-9DBA-FFE7668602D6} - System32\Tasks\{61E3C175-04DB-4A20-8D7F-70F9A834DCCD} => pcalua.exe -a E:\downloads\realtek\RTL8187B_Drv_XP_5.1162.0610.2009_Win7_62.1181.1105.2009_UI_1.00.0145.ALL.L\Setup.exe -d E:\downloads\realtek\RTL8187B_Drv_XP_5.1162.0610.2009_Win7_62.1181.1105.2009_UI_1.00.0145.ALL.L
Task: {272658E1-1946-41DF-8D22-FE9315C7C888} - System32\Tasks\ParetoLogic Registration => Rundll32.exe "C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\UUS.dll" RunUns
Task: {3AF91AFE-0178-4DC1-B1AA-C658D04C8CAC} - System32\Tasks\{3A1D6DF7-A0DB-46B1-906E-7A8C328E562F} => pcalua.exe -a C:\Users\owner\Downloads\installer_intervideo_windvd_9_0_English.exe -d C:\Users\owner\Downloads
Task: {3E8F9480-6CC9-4F2F-9807-23275237F2D5} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {44561622-136F-4BCE-B267-1629A7D56E5B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-10] (Google Inc.)
Task: {514829C8-DA92-4D2A-BA19-939B7B22802B} - System32\Tasks\{7BFC9DAD-7C26-45D8-9E58-0E2339D9DDB9} => pcalua.exe -a D:\SETUP.EXE -d D:\
Task: {52F12402-A3C0-4461-8441-6FBEF7F45892} - System32\Tasks\{0C9593F9-1B0E-4FF1-B802-BA62EE7C5A54} => Iexplore.exe http://ui.skype.com/ui/0/5.5.0.124/...notincluded,google-chrome:notoffered;disabled
Task: {53446381-8790-4790-8E09-291084CC7C78} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\Real\RealUpgrade\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {7147A6CE-1975-4728-818B-38208A61AB2D} - System32\Tasks\{0BD58758-5698-413B-B596-A43FE1132325} => C:\Program Files (x86)\Skype\Phone\Skype.exe [2015-01-22] (Skype Technologies S.A.)
Task: {728C6CC5-BD20-442B-B6AE-8B214341A823} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-10] (Google Inc.)
Task: {7F89A30D-7DD5-4B06-91F9-25FC7376A95F} - System32\Tasks\{4338ED00-8871-4E0E-BCFE-DCE9F1AFA278} => C:\Program Files (x86)\Kingsoft\PowerWordPE\XDict.exe [2011-11-13] (Copyright (c) Kingsoft Corporation Limited. All rights reserved.)
Task: {9271301D-994B-4537-B79C-B71E4F2D63CE} - System32\Tasks\{53B7E8D8-BB0D-4B5E-A7B0-A4286B87C9AA} => C:\Program Files (x86)\Real\RealPlayer\realplay.exe [2014-04-15] (RealNetworks, Inc.)
Task: {9B66791F-605D-4689-92A9-B1E6DFAD04CA} - System32\Tasks\{986573BF-4572-4524-832B-06D0BE244EB7} => C:\Program Files (x86)\CNCB\PerCiticMate\Launcher.exe
Task: {AB39889B-E43E-494C-B943-AF9B70484C1F} - System32\Tasks\{CFF9F363-85E4-41E3-9247-7BE8EED0A33D} => pcalua.exe -a "C:\Program Files\Microsoft Security Client\Setup.exe" -c /x
Task: {BF090893-388D-43D0-844A-A97D15BA7F7C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-28] (Adobe Systems Incorporated)
Task: {C082B72D-811C-43A4-8DC1-3F8832FE846C} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe [2014-04-06] (RealNetworks, Inc.)
Task: {C9AE45C9-B781-4481-AB9D-44A0C87CC7B5} - System32\Tasks\{7BC329F4-255B-4F3C-AAD7-C7419E1871F4} => pcalua.exe -a E:\downloads\nero\Nero-6.6.1.4_eng.exe -d E:\downloads\nero
Task: {CC0E764A-BBC3-4124-8514-A9685C838864} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-07-08] (AVAST Software)
Task: {D0853781-C6D6-49B3-89DC-1DA6017AE3CD} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION
Task: {D918CCA6-FD55-41F1-8133-A767B7A4323E} - System32\Tasks\{903D052D-85EB-4269-AD6D-07C3F277A98A} => C:\Program Files (x86)\ChineseLib\chineseLib.exe
Task: {D9E82ACD-AB52-4950-AC5C-88640D572C9E} - \WSE_Astromenda No Task File <==== ATTENTION
Task: {DF4A596D-BBA2-47F6-9286-865C18E3BA20} - System32\Tasks\{6C6CED9E-0A66-45ED-9BB8-460B6D2DF925} => C:\Program Files\Microsoft Security Client\msseces.exe [2013-01-27] (Microsoft Corporation)
Task: {DF893944-2EA5-4AFC-9F9A-403CD6F11D2C} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\Real\RealUpgrade\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {E3E1BF31-8399-4885-B229-3B7E39CE701A} - System32\Tasks\{BD1AA12C-16FD-471B-8DF8-0DFAC23D6F9F} => C:\Program Files (x86)\Real\RealPlayer\realplay.exe [2014-04-15] (RealNetworks, Inc.)
Task: {E57E8527-1422-4AAF-81D9-626C5301EAB6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {E76994CF-FDBF-45AD-B977-744106AA7A7B} - System32\Tasks\{EB512880-8AC3-4253-AA12-69DD790B72BB} => pcalua.exe -a C:\Downloads\qianqianjingting\ttpsetup_5712.exe -d C:\Downloads\qianqianjingting
Task: {EBB58B1E-F45F-4B6E-8267-821986D65E36} - System32\Tasks\{E95ED5D8-468F-4EE0-9BF2-ABE767A25414} => pcalua.exe -a D:\Setup.exe -d D:\
Task: {EC755161-D7D6-4D7A-A9E1-8F81B793D8C1} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\Real\RealUpgrade\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {EFA532F1-EB69-4C99-B292-3E47A9C66BDC} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {F67A6ACF-A357-4E0A-AA7C-41DF5C62D5C5} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000 => C:\Program Files (x86)\Real\RealUpgrade\realupgrade.exe [2014-04-06] (RealNetworks, Inc.)
Task: {F807B8EF-9FA7-46EB-B148-07ACCE46DD56} - System32\Tasks\ParetoLogic Update Version2 => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ParetoLogic Registration.job => C:\Windows\system32\rundll32.exeFC:\Program Files (x86)\Common Files\ParetoLogic\UUS2\UUS.dll
Task: C:\Windows\Tasks\ParetoLogic Update Version2.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe

==================== Loaded Modules (whitelisted) ==============

2015-01-20 23:35 - 2015-01-20 23:35 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-01-20 23:35 - 2015-01-20 23:35 - 01346344 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-07-22 16:19 - 2014-01-09 10:57 - 00263232 _____ () C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
2014-05-16 15:34 - 2014-05-16 15:34 - 00430344 _____ () C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
2014-04-06 08:00 - 2014-04-06 08:00 - 00039568 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
2014-04-06 12:06 - 2014-04-06 12:06 - 00023552 _____ () C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
2014-12-13 18:56 - 2013-11-14 02:18 - 00357744 _____ () C:\Program Files (x86)\BOSHEbankTools\BOSHEbankPlugin\bosh_argusec_usbkey\ak300_bosh_certreg.exe
2014-07-08 19:04 - 2014-07-08 19:04 - 00301152 _____ () C:\Program Files\AVAST Software\Avast\aswProperty.dll
2015-03-15 20:51 - 2015-03-15 20:51 - 02922496 _____ () C:\Program Files\AVAST Software\Avast\defs\15031501\algo.dll
2014-05-16 17:11 - 2014-05-16 17:11 - 00908584 _____ () C:\Program Files (x86)\Hotspot Shield\bin\af_proxy.dll
2014-05-16 17:37 - 2014-05-16 17:37 - 00506664 _____ () C:\Program Files (x86)\Hotspot Shield\bin\HssRep.dll
2009-02-02 17:33 - 2009-02-02 17:33 - 00460199 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\sqlite3.dll
2008-09-28 17:55 - 2008-09-28 17:55 - 01076224 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\ACE.dll
2014-04-15 15:30 - 2014-04-15 15:30 - 00859224 _____ () c:\program files (x86)\real\realplayer\RPDS\Plugins\cldplin.dll
2014-07-08 19:04 - 2014-07-08 19:04 - 19329904 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-12-13 18:56 - 2013-11-14 02:18 - 01017856 _____ () C:\Windows\system32\ak300_bosh_csp11.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\ProgramData\Temp:EEDA5B17

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\owner\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camera Monitor HD.lnk => C:\Windows\pss\Camera Monitor HD.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk => C:\Windows\pss\InterVideo WinCinema Manager.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^RealPlayer Cloud Service UI.lnk => C:\Windows\pss\RealPlayer Cloud Service UI.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TMMonitor.lnk => C:\Windows\pss\TMMonitor.lnk.CommonStartup
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe "
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe "
MSCONFIG\startupreg: ArcSoft Connection Service => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSCONFIG\startupreg: BaofengPlatform => "C:\Program Files (x86)\Baofeng\StormPlayer\BaofengPlatform.exe" /autorun
MSCONFIG\startupreg: BOCUK2IBankMon.exe => "C:\Program Files (x86)\BOC\USBKEY II\IBank\BOCUK2IBankMon.exe "
MSCONFIG\startupreg: CITICibnkmt => C:\Program Files (x86)\CNCB\PerCiticMate\Launcher.exe -/PerBS
MSCONFIG\startupreg: citic_certd => "C:\Program Files (x86)\CITICBank\FeiTian\citic_certd.exe" -r -a
MSCONFIG\startupreg: citic_certd_gd => C:\Program Files (x86)\CITICBank\GD\citic_certd_gd.exe -r -a
MSCONFIG\startupreg: IBankMate => C:\Program Files (x86)\CNCB\PerCiticMate\RunMate.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe "
MSCONFIG\startupreg: KiesTrayAgent => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
MSCONFIG\startupreg: Pareto_Update => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Standby => "c:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START
MSCONFIG\startupreg: Stormtray => C:\Program Files (x86)\StormII\Stormtray.exe /Start
MSCONFIG\startupreg: TkBellExe => "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
MSCONFIG\startupreg: VideoWebCamera => "C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe" -a
MSCONFIG\startupreg: Virtual Account Numbers => C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards

==================== Accounts: =============================

Administrator (S-1-5-21-669636167-3881197016-1759864487-500 - Administrator - Disabled)
fbwuser (S-1-5-21-669636167-3881197016-1759864487-1097 - Limited - Disabled) => C:\Users\fbwuser
Guest (S-1-5-21-669636167-3881197016-1759864487-501 - Limited - Disabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-669636167-3881197016-1759864487-1002 - Limited - Enabled)
owner (S-1-5-21-669636167-3881197016-1759864487-1000 - Administrator - Enabled) => C:\Users\owner

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (03/14/2015 07:04:16 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.

Error: (03/13/2015 10:24:07 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.

Error: (03/01/2015 02:49:46 AM) (Source: MsiInstaller) (EventID: 11714) (User: gateway-NV54)
Description: Product: iTunes -- Error 1714. The older version of iTunes cannot be removed. Contact your technical support group. System Error 1612.

Error: (03/01/2015 02:12:40 AM) (Source: MsiInstaller) (EventID: 11714) (User: gateway-NV54)
Description: Product: iTunes -- Error 1714. The older version of iTunes cannot be removed. Contact your technical support group. System Error 1612.

Error: (02/01/2015 00:20:47 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Corel VideoStudio because of this error.

Program: Corel VideoStudio
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (02/01/2015 00:20:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vstudio.exe, version: 17.1.0.22, time stamp: 0x53872db4
Faulting module name: afAcceleratedLib.dll, version: 17.0.0.249, time stamp: 0x52bb4288
Exception code: 0xc000001d
Fault offset: 0x000367f4
Faulting process id: 0x100c
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (02/01/2015 00:13:50 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Corel VideoStudio because of this error.

Program: Corel VideoStudio
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (02/01/2015 00:13:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vstudio.exe, version: 17.1.0.22, time stamp: 0x53872db4
Faulting module name: afAcceleratedLib.dll, version: 17.0.0.249, time stamp: 0x52bb4288
Exception code: 0xc000001d
Fault offset: 0x000367f4
Faulting process id: 0x1200
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (02/01/2015 10:51:29 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Corel VideoStudio because of this error.

Program: Corel VideoStudio
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (02/01/2015 10:51:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vstudio.exe, version: 17.1.0.22, time stamp: 0x53872db4
Faulting module name: afAcceleratedLib.dll, version: 17.0.0.249, time stamp: 0x52bb4288
Exception code: 0xc000001d
Fault offset: 0x000367f4
Faulting process id: 0x1128
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

System errors:
=============
Error: (03/15/2015 08:48:51 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.

Error: (03/15/2015 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Alipay security business service service failed to start due to the following error:
%%2

Error: (03/15/2015 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ROCKEYNT service failed to start due to the following error:
%%1275

Error: (03/15/2015 08:48:51 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\Rockeynt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (03/15/2015 08:48:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The RealtekUSB service failed to start due to the following error:
%%2

Error: (03/15/2015 08:48:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Alipay payment client security service service failed to start due to the following error:
%%2

Error: (03/15/2015 08:48:30 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Microsoft Network Inspection System service depends the following service: BFE. This service might not be installed.

Error: (03/15/2015 08:48:29 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

Error: (03/15/2015 08:48:18 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Windows Firewall service depends the following service: BFE. This service might not be installed.

Error: (03/15/2015 08:48:09 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Microsoft Antimalware Service service terminated with the following error:
%%-2147024894

Microsoft Office Sessions:
=========================
Error: (11/24/2014 08:58:03 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 23 seconds with 0 seconds of active time. This session ended with a crash.

Error: (07/20/2013 02:11:28 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6600.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 561 seconds with 60 seconds of active time. This session ended with a crash.

Error: (06/03/2012 07:35:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1546 seconds with 60 seconds of active time. This session ended with a crash.

CodeIntegrity Errors:
===================================
Date: 2015-03-14 17:15:53.620
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-03-14 17:15:52.938
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-03-14 17:15:52.251
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-03-14 17:15:51.571
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-03-14 09:39:53.086
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-03-14 09:39:52.536
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Pentium(R) Dual-Core CPU T4300 @ 2.10GHz
Percentage of memory in use: 35%
Total physical RAM: 4024.93 MB
Available physical RAM: 2606.49 MB
Total Pagefile: 8048.04 MB
Available Pagefile: 6617.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:453.94 GB) (Free:52.33 GB) NTFS
Drive f: (KINGSTON U3) (Removable) (Total:1.9 GB) (Free:1.39 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 52D952D9)
Partition 1: (Not Active) - (Size=11.7 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=453.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 9B9E7A1B)
Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)

==================== End Of Log ============================

broni · 2015/03/16

You're running two AV programs, MSE and Avast.
You must uninstall one of them.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Log in or Sign up

Solved Error during startup: Stop: c000021a (Fatal System Error)

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

Evan Omo Computer Support Technician Staff

broni Moderator Malware Analyst

broni Moderator Malware Analyst

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

jharry Inactive Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

Share This Page

Log in or Sign up

Solved Error during startup: Stop: c000021a (Fatal System Error)

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

Evan Omo Computer Support Technician Staff

broni Moderator Malware Analyst

broni Moderator Malware Analyst

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

broni Moderator Malware Analyst

jharry Inactive Thread Starter

jharry Inactive Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

Share This Page

Useful Searches